Linux Analysis Report
tUzH4zTmwI.elf

Overview

General Information

Sample name:	tUzH4zTmwI.elf renamed because original name is a hash value
Original sample name:	24736e8f0e51be6d768e20591adde1ac.elf
Analysis ID:	1427873
MD5:	24736e8f0e51be6d768e20591adde1ac
SHA1:	e57ca5cf2b641b230c944e2c0480090c771e3e15
SHA256:	844ee6c620e121eb13856b910fbde2694ab7309d69b97ccbc355c01ca90404b9
Tags:	32elfmipsmirai
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Executes the "iptables" command to insert, remove and/or manipulate rules

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "iptables" command used for managing IP filtering and manipulation

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: tUzH4zTmwI.elf

Virustotal: Detection: 21%

Perma Link

Networking

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 5593)

Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.14:35532 -> 185.196.11.64:35342
Source: global traffic	TCP traffic: 192.168.2.14:34882 -> 212.118.43.167:2222

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5593)

Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

Jump to behavior

Sample listens on a socket

Source: /tmp/tUzH4zTmwI.elf (PID: 5579)	Socket: 127.0.0.1::8345			Jump to behavior
Source: /tmp/tUzH4zTmwI.elf (PID: 5589)	Socket: 0.0.0.0::26721			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown	TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown	TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown	TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown	TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown	TCP traffic detected without corresponding DNS query: 212.118.43.167
Source: unknown	TCP traffic detected without corresponding DNS query: 212.118.43.167

Source: unknown

DNS traffic detected: queries for: dead-cheap-doma.in

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
Source: Initial sample	String containing 'busybox' found: busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
Source: Initial sample	String containing 'busybox' found: @socketsetsockoptbindlisten1.1.1.1hi im here, i think/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPTbusybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPTbindtoipconnectpoll/proc/net/tcp/fd0

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.linELF@0/0@1/0

Persistence and Installation Behavior

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 5593)

Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/tUzH4zTmwI.elf (PID: 5591)	Shell command executed: sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior
Source: /tmp/tUzH4zTmwI.elf (PID: 5599)	Shell command executed: sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior
Source: /tmp/tUzH4zTmwI.elf (PID: 5602)	Shell command executed: sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior
Source: /tmp/tUzH4zTmwI.elf (PID: 5605)	Shell command executed: sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior
Source: /tmp/tUzH4zTmwI.elf (PID: 5608)	Shell command executed: sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5593)

Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/tUzH4zTmwI.elf (PID: 5579)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/busybox (PID: 5601)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 5610)	Queries kernel information via 'uname':	Jump to behavior

Source: tUzH4zTmwI.elf, 5579.1.00007fff81de6000.00007fff81e07000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/tUzH4zTmwI.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tUzH4zTmwI.elf
Source: tUzH4zTmwI.elf, 5579.1.000055e83f730000.000055e83f7d9000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: tUzH4zTmwI.elf, 5579.1.000055e83f730000.000055e83f7d9000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: tUzH4zTmwI.elf, 5579.1.00007fff81de6000.00007fff81e07000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.196.11.64	dead-cheap-doma.in	Switzerland		42624	SIMPLECARRIERCH	false
212.118.43.167	unknown	Russian Federation		25308	CITYLAN-ASRU	false

Contacted Domains

Name	IP	Active
dead-cheap-doma.in	185.196.11.64	true

ID:	1427873
Product:	CloudBasic
Start time:	09:55:56
Start date:	18.04.2024
Sample:	tUzH4zTmwI.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	24736e8f0e51be6d768e20591adde1ac
SHA1:	e57ca5cf2b641b230c944e2c0480090c771e3e15
SHA256:	844ee6c620e121eb13856b910fbde2694ab7309d69b97ccbc355c01ca90404b9
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
tUzH4zTmwI.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report tUzH4zTmwI.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
tUzH4zTmwI.elf