Linux Analysis Report
mips.elf

Overview

General Information

Sample name: mips.elf
Analysis ID: 1544641
MD5: 91692d9ee16eb7898c5607df7e239939
SHA1: 9a7dfa5b5b2ac601721565f8aa0fd9b4ce76d000
SHA256: 9a3fb9f5450febb162c21567086a059cf4543936eff2ec23691da2181a13d68b
Tags: elfMiraiuser-abuse_ch
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Connects to many IPs within the same subnet mask (likely port scanning)
Connects to many ports of the same IP (likely port scanning)
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample scans a subnet
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: mips.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: mips.elf ReversingLabs: Detection: 47%

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:41252 -> 185.174.135.118:22353
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:57754 -> 46.23.108.109:1295
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:48760 -> 154.216.20.58:15377
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:41778 -> 46.23.108.159:2272
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:45972 -> 46.23.108.159:19404
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:39874 -> 185.174.135.118:25371
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:58528 -> 46.23.108.133:12533
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:54334 -> 46.23.108.110:10602
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:59796 -> 45.148.10.51:22794
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:34182 -> 46.23.108.110:17735
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:52696 -> 154.216.20.58:10935
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:48164 -> 46.23.108.54:18870
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:56120 -> 185.174.135.118:20483
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:59800 -> 45.148.10.51:22794
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:46058 -> 46.23.108.55:2519
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:48160 -> 46.23.108.54:18870
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:54802 -> 46.23.108.110:15320
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:54726 -> 46.23.108.159:22076
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:39502 -> 46.23.108.54:21757
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:54946 -> 46.23.108.133:13739
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:56690 -> 46.23.108.62:10914
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:39532 -> 45.148.10.51:10292
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:46464 -> 46.23.108.61:2259
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:46754 -> 46.23.108.110:10923
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:39366 -> 185.174.135.118:17175
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:58724 -> 46.23.108.161:22353
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:42918 -> 185.174.135.118:4687
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:35290 -> 46.23.108.61:19404
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:48766 -> 154.216.20.58:15377
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:58524 -> 46.23.108.133:12533
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:41484 -> 46.23.108.110:18158
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:34442 -> 46.23.108.252:15076
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:48918 -> 46.23.108.111:21946
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.23:37504 -> 154.216.20.58:7594
Connects to many IPs within the same subnet mask (likely port scanning)
Source: global traffic TCP traffic: Count: 11 IPs: 46.23.108.109,46.23.108.61,46.23.108.62,46.23.108.54,46.23.108.55,46.23.108.161,46.23.108.133,46.23.108.111,46.23.108.110,46.23.108.252,46.23.108.159
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 154.216.20.58 ports 7594,15377,1,3,5,10935,7
Source: global traffic TCP traffic: 46.23.108.61 ports 0,1,2259,4,9,19404
Source: global traffic TCP traffic: 46.23.108.54 ports 18870,21757,1,2,5,7
Source: global traffic TCP traffic: 185.174.135.118 ports 17175,20483,22353,2,3,25371,5,4687
Source: global traffic TCP traffic: 46.23.108.133 ports 1,13739,3,7,9,12533
Source: global traffic TCP traffic: 46.23.108.111 ports 21946,1,2,4,6,9
Source: global traffic TCP traffic: 45.148.10.51 ports 10292,22794,2,4,7,9
Source: global traffic TCP traffic: 46.23.108.110 ports 18158,15320,0,10602,1,2,10923,3,9,17735
Source: global traffic TCP traffic: 46.23.108.252 ports 15076,0,1,5,6,7
Source: global traffic TCP traffic: 46.23.108.159 ports 2272,0,1,4,22076,9,19404
Sample scans a subnet
Source: ip traffic Subnet 46.23.108.0/24: 46.23.108.109, 46.23.108.61, 46.23.108.62, 46.23.108.54, 46.23.108.55, 46.23.108.161, 46.23.108.133, 46.23.108.111, 46.23.108.110, 46.23.108.252, 46.23.108.159
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: sandmen.geek. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: sliteyed.pirate. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: repo.dyn. [malformed]
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:35290 -> 46.23.108.61:19404
Source: global traffic TCP traffic: 192.168.2.23:45972 -> 46.23.108.159:19404
Source: global traffic TCP traffic: 192.168.2.23:58724 -> 46.23.108.161:22353
Source: global traffic TCP traffic: 192.168.2.23:41252 -> 185.174.135.118:22353
Source: global traffic TCP traffic: 192.168.2.23:59796 -> 45.148.10.51:22794
Source: global traffic TCP traffic: 192.168.2.23:57754 -> 46.23.108.109:1295
Source: global traffic TCP traffic: 192.168.2.23:54946 -> 46.23.108.133:13739
Source: global traffic TCP traffic: 192.168.2.23:34442 -> 46.23.108.252:15076
Source: global traffic TCP traffic: 192.168.2.23:56690 -> 46.23.108.62:10914
Source: global traffic TCP traffic: 192.168.2.23:39502 -> 46.23.108.54:21757
Source: global traffic TCP traffic: 192.168.2.23:48760 -> 154.216.20.58:15377
Source: global traffic TCP traffic: 192.168.2.23:46754 -> 46.23.108.110:10923
Source: global traffic TCP traffic: 192.168.2.23:48918 -> 46.23.108.111:21946
Source: global traffic TCP traffic: 192.168.2.23:46058 -> 46.23.108.55:2519
Sample listens on a socket
Source: /tmp/mips.elf (PID: 6218) Socket: 127.0.0.1:1172 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: global traffic DNS traffic detected: DNS query: sandmen.geek
Source: global traffic DNS traffic detected: DNS query: sliteyed.pirate
Source: global traffic DNS traffic detected: DNS query: sandmen.geek. [malformed]
Source: global traffic DNS traffic detected: DNS query: sliteyed.pirate. [malformed]
Source: global traffic DNS traffic detected: DNS query: repo.dyn. [malformed]
Source: global traffic DNS traffic detected: DNS query: dingdingrouter.pirate
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal84.spre.troj.linELF@0/0@92/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/mips.elf (PID: 6222) File: /proc/6222/mounts Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/mips.elf (PID: 6218) Queries kernel information via 'uname': Jump to behavior
Source: mips.elf, 6218.1.00005562f2fc9000.00005562f3092000.rw-.sdmp, mips.elf, 6222.1.00005562f2fc9000.00005562f3092000.rw-.sdmp, mips.elf, 6229.1.00005562f2fc9000.00005562f3092000.rw-.sdmp, mips.elf, 6223.1.00005562f2fc9000.00005562f3092000.rw-.sdmp Binary or memory string: bU!/etc/qemu-binfmt/mips
Source: mips.elf, 6218.1.00005562f2fc9000.00005562f3092000.rw-.sdmp, mips.elf, 6222.1.00005562f2fc9000.00005562f3092000.rw-.sdmp, mips.elf, 6229.1.00005562f2fc9000.00005562f3092000.rw-.sdmp, mips.elf, 6223.1.00005562f2fc9000.00005562f3092000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: mips.elf, 6218.1.00007ffe92500000.00007ffe92521000.rw-.sdmp, mips.elf, 6222.1.00007ffe92500000.00007ffe92521000.rw-.sdmp, mips.elf, 6229.1.00007ffe92500000.00007ffe92521000.rw-.sdmp, mips.elf, 6223.1.00007ffe92500000.00007ffe92521000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips.elf
Source: mips.elf, 6218.1.00007ffe92500000.00007ffe92521000.rw-.sdmp, mips.elf, 6222.1.00007ffe92500000.00007ffe92521000.rw-.sdmp, mips.elf, 6229.1.00007ffe92500000.00007ffe92521000.rw-.sdmp, mips.elf, 6223.1.00007ffe92500000.00007ffe92521000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.216.20.58
 sandmen.geek Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true
46.23.108.109
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.61
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.62
 unknown Azerbaijan
15723 AZERONLINEAZ true
185.174.135.118
 unknown Iran (ISLAMIC Republic Of)
24768 ALMOUROLTECPT true
46.23.108.133
 dingdingrouter.pirate Azerbaijan
15723 AZERONLINEAZ true
46.23.108.111
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.110
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.252
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.159
 unknown Azerbaijan
15723 AZERONLINEAZ true
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
46.23.108.54
 sliteyed.pirate Azerbaijan
15723 AZERONLINEAZ true
46.23.108.55
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.161
 unknown Azerbaijan
15723 AZERONLINEAZ true
45.148.10.51
 unknown Italy
48090 PPTECHNOLOGYGB true

Contacted Domains

Name IP Active
sandmen.geek 154.216.20.58 true
dingdingrouter.pirate 46.23.108.133 true
sliteyed.pirate 46.23.108.54 true
sliteyed.pirate. [malformed] unknown unknown
sandmen.geek. [malformed] unknown unknown
repo.dyn. [malformed] unknown unknown