Linux Analysis Report
bot.x86.elf

Overview

General Information

Sample name: bot.x86.elf
Analysis ID: 1561932
MD5: 338f31eaeab0b97a0bf4583d7d18d016
SHA1: dd7e265f4b5e8e879bde31d30f247a6d19268a0a
SHA256: 24c72bd24a1669678df40e94367674f0a9e41303a8a63ca5c96819680c4fa888
Tags: user-elfdigest
Infos:

Detection

Mirai, Okiru
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Mirai
Yara detected Okiru
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Uses dynamic DNS services
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection

barindex
Source: bot.x86.elf Avira: detected
Source: bot.x86.elf ReversingLabs: Detection: 57%
Source: bot.x86.elf Joe Sandbox ML: detected
Source: bot.x86.elf String: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

Networking

barindex
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44826 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44798 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44814 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44824 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44802 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44828 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44800 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44808 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44804 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44818 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44812 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44816 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44822 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44820 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44810 -> 185.7.78.88:43957
Source: Network traffic Suricata IDS: 2030490 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) : 192.168.2.15:44806 -> 185.7.78.88:43957
Source: global traffic TCP traffic: 185.7.78.88 ports 43957,3,4,5,7,9
Source: unknown DNS query: name: testprodad.duckdns.org
Source: global traffic TCP traffic: 192.168.2.15:44798 -> 185.7.78.88:43957
Source: global traffic DNS traffic detected: DNS query: testprodad.duckdns.org

System Summary

barindex
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: bot.x86.elf PID: 5527, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: HTTP/1.1 200 OKtop1hbt.armtop1hbt.arm5top1hbt.arm6top1hbt.arm7top1hbt.mipstop1hbt.mpsltop1hbt.x86_64top1hbt.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f
Source: ELF static info symbol of initial sample .symtab present: no
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: bot.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: bot.x86.elf PID: 5527, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engine Classification label: mal100.troj.linELF@0/0@16/0
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/110/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/231/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/111/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/112/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/233/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/113/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/114/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/235/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/115/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1333/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/116/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1695/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/117/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/118/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/119/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/911/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/3875/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/10/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/11/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/12/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/13/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/14/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/15/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/16/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/17/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/18/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/19/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1591/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/120/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/121/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/122/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/243/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/2/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/123/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/3/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/124/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1588/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/125/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/4/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/246/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/126/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/5/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/127/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/6/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1585/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/128/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/7/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/129/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/8/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/9/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/802/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/803/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/804/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/20/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/21/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/3407/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/22/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/23/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/24/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/25/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/26/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/27/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/28/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/29/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1484/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/490/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/250/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/130/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/251/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/131/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/132/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/133/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1479/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/378/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/258/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/259/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/931/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1595/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/812/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/933/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/30/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/3419/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/35/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/3310/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/260/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/261/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/262/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/142/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/263/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/264/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/265/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/145/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/266/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/267/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/268/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/3303/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/269/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1486/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/1806/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/3684/cmdline Jump to behavior
Source: /tmp/bot.x86.elf (PID: 5529) File opened: /proc/3440/cmdline Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: bot.x86.elf, type: SAMPLE
Source: Yara match File source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bot.x86.elf PID: 5527, type: MEMORYSTR
Source: Yara match File source: bot.x86.elf, type: SAMPLE
Source: Yara match File source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bot.x86.elf PID: 5527, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Yara match File source: bot.x86.elf, type: SAMPLE
Source: Yara match File source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bot.x86.elf PID: 5527, type: MEMORYSTR
Source: Yara match File source: bot.x86.elf, type: SAMPLE
Source: Yara match File source: 5527.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bot.x86.elf PID: 5527, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs