Linux Analysis Report
c0r0n4x.arm7.elf

Overview

General Information

Sample name:	c0r0n4x.arm7.elf
Analysis ID:	1541840
MD5:	12ab7e12a7a0083e820eab357047e6e6
SHA1:	96f60bcb131bd782da18c0adc4abc244b6b14a7b
SHA256:	18c3d744766f93b370579e40ce952cf6c018fe6e4f54edec191852be1746e29b
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains symbols with names commonly found in malware

Executes the "rm" command used to delete files or directories

Sample and/or dropped files contains symbols with suspicious names

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Yara detected Mirai

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: c0r0n4x.arm7.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: c0r0n4x.arm7.elf

ReversingLabs: Detection: 73%

Sample listens on a socket

Source: /tmp/c0r0n4x.arm7.elf (PID: 6213)

Socket: 127.0.0.1:38273

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method.c
Source: ELF static info symbol of initial sample	Name: attack_method_asyn
Source: ELF static info symbol of initial sample	Name: attack_method_greeth
Source: ELF static info symbol of initial sample	Name: attack_method_greip
Source: ELF static info symbol of initial sample	Name: attack_method_std

Sample and/or dropped files contains symbols with suspicious names

Source: c0r0n4x.arm7.elf	ELF static info symbol of initial sample: __gnu_unwind_execute
Source: c0r0n4x.arm7.elf	ELF static info symbol of initial sample: scanner.c
Source: c0r0n4x.arm7.elf	ELF static info symbol of initial sample: scanner_init
Source: c0r0n4x.arm7.elf	ELF static info symbol of initial sample: scanner_pid
Source: c0r0n4x.arm7.elf	ELF static info symbol of initial sample: scanner_rawpkt

Source: classification engine

Classification label: mal68.troj.linELF@0/0@0/0

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6266)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.asbAjmrCk1 /tmp/tmp.z6UeEg3SX7 /tmp/tmp.BaMNvxBmoN			Jump to behavior
Source: /usr/bin/dash (PID: 6267)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.asbAjmrCk1 /tmp/tmp.z6UeEg3SX7 /tmp/tmp.BaMNvxBmoN			Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/c0r0n4x.arm7.elf (PID: 6213)

Queries kernel information via 'uname':

Jump to behavior

Source: c0r0n4x.arm7.elf, 6213.1.0000557371772000.00005573718a0000.rw-.sdmp	Binary or memory string: xqsU!/etc/qemu-binfmt/arm
Source: c0r0n4x.arm7.elf, 6213.1.00007ffeb5999000.00007ffeb59ba000.rw-.sdmp	Binary or memory string: tx86_64/usr/bin/qemu-arm/tmp/c0r0n4x.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/c0r0n4x.arm7.elf
Source: c0r0n4x.arm7.elf, 6213.1.0000557371772000.00005573718a0000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: c0r0n4x.arm7.elf, 6213.1.00007ffeb5999000.00007ffeb59ba000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: c0r0n4x.arm7.elf, 6213.1.00007ffeb5999000.00007ffeb59ba000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Yara detected Mirai

Source: Yara match

File source: c0r0n4x.arm7.elf, type: SAMPLE

Yara detected Mirai

Source: Yara match

File source: c0r0n4x.arm7.elf, type: SAMPLE

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

ID:	1541840
Product:	CloudBasic
Start time:	08:32:04
Start date:	25.10.2024
Sample:	c0r0n4x.arm7.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	12ab7e12a7a0083e820eab357047e6e6
SHA1:	96f60bcb131bd782da18c0adc4abc244b6b14a7b
SHA256:	18c3d744766f93b370579e40ce952cf6c018fe6e4f54edec191852be1746e29b
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
c0r0n4x.arm7.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report c0r0n4x.arm7.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
c0r0n4x.arm7.elf

Malware Threat Intel
Provided by