Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
arm7-20231203-0928.elf

Overview

General Information

Sample Name:arm7-20231203-0928.elf
Analysis ID:1352513
MD5:8864efb6b67623c9b5296b5218359249
SHA1:3ec2c5ce91fc19616d1b019e7699432c3527d471
SHA256:7a1fa85c527a3e1db5c7a6935099ae483e73624a73f91532dcf8eb440acf4351
Infos:

Detection

Mirai
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Contains symbols with names commonly found in malware
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample and/or dropped files contains symbols with suspicious names
Sample listens on a socket

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:38.0.0 Ammolite
Analysis ID:1352513
Start date and time:2023-12-03 10:39:57 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample file name:arm7-20231203-0928.elf
Detection:MAL
Classification:mal76.troj.linELF@0/0@17/0
Command:/tmp/arm7-20231203-0928.elf
PID:6205
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
unstable_is_the_history_of_universe
Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
arm7-20231203-0928.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    arm7-20231203-0928.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x10068:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1007c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10090:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10108:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1011c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10130:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10144:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10158:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1016c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10180:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10194:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    SourceRuleDescriptionAuthorStrings
    6205.1.00007fd34002f000.00007fd340031000.rw-.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x108:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x130:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x144:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x158:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x16c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x180:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x194:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    6205.1.00007fd340017000.00007fd340028000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x10068:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1007c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10090:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x100f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10108:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1011c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10130:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10144:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10158:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1016c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10180:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x10194:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x101f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    Process Memory Space: arm7-20231203-0928.elf PID: 6205Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x13ee6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13efa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13f0e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13f22:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13f36:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13f4a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13f5e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13f72:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13f86:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13f9a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13fae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13fc2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x13fd6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: arm7-20231203-0928.elfAvira: detected
    Source: arm7-20231203-0928.elfReversingLabs: Detection: 67%
    Source: arm7-20231203-0928.elfVirustotal: Detection: 67%Perma Link
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: global trafficTCP traffic: 192.168.2.23:56516 -> 112.213.124.199:56999
    Source: /tmp/arm7-20231203-0928.elf (PID: 6205)Socket: 127.0.0.1::46157Jump to behavior
    Source: unknownDNS traffic detected: queries for: botnet2.psscc.cn
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43

    System Summary

    barindex
    Source: arm7-20231203-0928.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 6205.1.00007fd34002f000.00007fd340031000.rw-.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 6205.1.00007fd340017000.00007fd340028000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: Process Memory Space: arm7-20231203-0928.elf PID: 6205, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: ELF static info symbol of initial sampleName: attack.c
    Source: ELF static info symbol of initial sampleName: attack_get_opt_int
    Source: ELF static info symbol of initial sampleName: attack_get_opt_ip
    Source: ELF static info symbol of initial sampleName: attack_init
    Source: ELF static info symbol of initial sampleName: attack_kill_all
    Source: ELF static info symbol of initial sampleName: attack_method_nudp
    Source: ELF static info symbol of initial sampleName: attack_method_stdhex
    Source: ELF static info symbol of initial sampleName: attack_method_tcp
    Source: ELF static info symbol of initial sampleName: attack_ongoing
    Source: ELF static info symbol of initial sampleName: attack_parse
    Source: arm7-20231203-0928.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 6205.1.00007fd34002f000.00007fd340031000.rw-.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 6205.1.00007fd340017000.00007fd340028000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: Process Memory Space: arm7-20231203-0928.elf PID: 6205, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: arm7-20231203-0928.elfELF static info symbol of initial sample: __gnu_unwind_execute
    Source: arm7-20231203-0928.elfELF static info symbol of initial sample: hexPayload
    Source: classification engineClassification label: mal76.troj.linELF@0/0@17/0
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/6230/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/6232/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/6231/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/6233/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1582/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/3088/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/230/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/110/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/231/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/111/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/232/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1579/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/112/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/233/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1699/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/113/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/234/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1335/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1698/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/114/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/235/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1334/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1576/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/2302/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/115/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/236/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/116/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/237/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/117/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/118/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/910/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/6227/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/119/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/6226/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/912/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/6229/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/6228/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/10/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/2307/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/11/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/918/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/12/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/13/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/14/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/15/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/16/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/17/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/18/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1594/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/120/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/121/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1349/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/122/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/243/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/123/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/2/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/124/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/3/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/4/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/125/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/126/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1344/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1465/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1586/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/127/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/6/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/248/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/128/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/249/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1463/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/800/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/9/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/801/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/20/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/21/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1900/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/22/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/23/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/24/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/25/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/26/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/27/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/28/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/29/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/491/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/250/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/130/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/251/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/252/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/132/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/253/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/254/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/255/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/256/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1599/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/257/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1477/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/379/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/258/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1476/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/259/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/1475/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/936/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6209)File opened: /proc/30/cmdlineJump to behavior
    Source: /tmp/arm7-20231203-0928.elf (PID: 6205)Queries kernel information via 'uname': Jump to behavior
    Source: arm7-20231203-0928.elf, 6205.1.00007fff4d665000.00007fff4d686000.rw-.sdmpBinary or memory string: ^x86_64/usr/bin/qemu-arm/tmp/arm7-20231203-0928.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7-20231203-0928.elf
    Source: arm7-20231203-0928.elf, 6205.1.00005648568bc000.0000564856a0b000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
    Source: arm7-20231203-0928.elf, 6205.1.00007fff4d665000.00007fff4d686000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
    Source: arm7-20231203-0928.elf, 6205.1.00005648568bc000.0000564856a0b000.rw-.sdmpBinary or memory string: VHV!/etc/qemu-binfmt/arm

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: arm7-20231203-0928.elf, type: SAMPLE

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: arm7-20231203-0928.elf, type: SAMPLE
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
    Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
    Masquerading
    1
    OS Credential Dumping
    11
    Security Software Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
    Encrypted Channel
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Non-Standard Port
    SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
    Domain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Application Layer Protocol
    Data Encrypted for ImpactDNS ServerEmail Addresses
    Local AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureTraffic Duplication2
    Application Layer Protocol
    Data DestructionVirtual Private ServerEmployee Names
    No configs have been found
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    SourceDetectionScannerLabelLink
    arm7-20231203-0928.elf68%ReversingLabsLinux.Trojan.Mirai
    arm7-20231203-0928.elf68%VirustotalBrowse
    arm7-20231203-0928.elf100%AviraEXP/ELF.Mirai.Gen.J
    No Antivirus matches
    SourceDetectionScannerLabelLink
    botnet2.psscc.cn8%VirustotalBrowse
    No Antivirus matches
    NameIPActiveMaliciousAntivirus DetectionReputation
    botnet2.psscc.cn
    112.213.124.199
    truefalseunknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    109.202.202.202
    unknownSwitzerland
    13030INIT7CHfalse
    112.213.124.199
    botnet2.psscc.cnHong Kong
    38197SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKongfalse
    91.189.91.43
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    91.189.91.42
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    109.202.202.202x86_64-20231203-0928.elfGet hashmaliciousUnknownBrowse
      SecuriteInfo.com.Trojan.Linux.Mirai.29744.17563.elfGet hashmaliciousUnknownBrowse
        SecuriteInfo.com.Trojan.Linux.Mirai.1085.18302.elfGet hashmaliciousUnknownBrowse
          arm7.elfGet hashmaliciousUnknownBrowse
            j0lGr8krMR.elfGet hashmaliciousMiraiBrowse
              q5ZB59lfi7.elfGet hashmaliciousMiraiBrowse
                bot.x86.elfGet hashmaliciousMiraiBrowse
                  bot.arm5.elfGet hashmaliciousMiraiBrowse
                    xaarch64.elfGet hashmaliciousUnknownBrowse
                      eIsiU6BbPe.elfGet hashmaliciousMiraiBrowse
                        tvOnVQPlql.elfGet hashmaliciousMiraiBrowse
                          gjh7N6186u.elfGet hashmaliciousMiraiBrowse
                            arm7-20231201-1833.elfGet hashmaliciousUnknownBrowse
                              tgLEk39UGet hashmaliciousUnknownBrowse
                                rPmpxBOqv6.elfGet hashmaliciousUnknownBrowse
                                  arm7.elfGet hashmaliciousUnknownBrowse
                                    ZlokKccCkK.elfGet hashmaliciousUnknownBrowse
                                      arm7.elfGet hashmaliciousUnknownBrowse
                                        oLiCZWdCxX.elfGet hashmaliciousUnknownBrowse
                                          hAr9ItLrN3.elfGet hashmaliciousUnknownBrowse
                                            112.213.124.199x86_64-20231203-0928.elfGet hashmaliciousUnknownBrowse
                                              5Hgh2qHKJN.elfGet hashmaliciousUnknownBrowse
                                                J7acd48WGL.elfGet hashmaliciousUnknownBrowse
                                                  SePGbmCTYu.elfGet hashmaliciousUnknownBrowse
                                                    mips-20231125-2108.elfGet hashmaliciousUnknownBrowse
                                                      x86_64-20231125-2109.elfGet hashmaliciousUnknownBrowse
                                                        mpsl.elfGet hashmaliciousUnknownBrowse
                                                          arm-20231125-2108.elfGet hashmaliciousUnknownBrowse
                                                            arm7-20231125-2109.elfGet hashmaliciousMiraiBrowse
                                                              x86-20231125-2108.elfGet hashmaliciousUnknownBrowse