Linux Analysis Report
SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf

Overview

General Information

Sample name:	SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf
Analysis ID:	1430165
MD5:	55caac50c41205377ba38c44d268cb7f
SHA1:	5c95ce4b9de9d57cfa3b6c9622a7f6e882885c4b
SHA256:	2932daa36ba6b8eebed723b1549d85673811a4abeb41f9bc37cc02569811e10e
Tags:	elf
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Mirai

Queries the IP of a very long domain name

Sample deletes itself

Connects to many different domains

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes the "rm" command used to delete files or directories

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf	Virustotal: Detection: 18%			Perma Link
Source: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf	ReversingLabs: Detection: 39%

Networking

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f366a0PV!E((23;5%)V'fNNPV!a0E@QU@@.h3;5,f)kzadolfhitlersusV'f66a0PV!.E(($23;.5+)
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f66a0PV!E(($23;5+)V'f!NNPV!a0E@Q}@@.@3;>5,n6)kzadolfhitlersusV'f66a0PV!.E((L2a3;.5>u)
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f66a0PV!E((L2a3;5>u)V'fNNPV!a0E@Q@@.3;5,)kzadolfhitlersusV'f366a0PV!.E((]2P3;.52)
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f366a0PV!E((]2P3;52)V'f4NNPV!a0E@Q@@.3;5,)kzadolfhitlersusV'ft66a0PV!.E((o2>3;.5#))
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'ft66a0PV!E((o2>3;5#))V'fJJPV!a0E<@@.F\|~XV'fz66a0PV!.E((@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fqh66a0PV!EH(E28=5v=V'fiNNPV!a0E@i@@.=5,R=..siegheil.hiter.su.V'f#>66a0PV!EH(m37=5=V'f>NNPV!a0E@i7@@.=5,=
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f#>66a0PV!EH(m37=5=V'f>NNPV!a0E@i7@@.=5,=
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a0PV!EH({37~=5 =V'fNNPV!a0E@i@@@.=t5,`g=
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'ff66a0PV!EH(}37\|=5t=V'fNNPV!a0E@ic@@.=j5,gq=
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fo66a0PV!EH(28i=5j=V'fyJJPV!a0E<@@.FNIXV'fr.66
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fu66a0PV!EH(W6}5WV'fNNPV!a0E@7@@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f[66a0PV!EH(\6}5=[V'f^\NNPV!a0E@7@@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a0PV!EH(}6}{5N\V'f+NNPV!a0E@7@@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f:66a0PV!EH(6}w5KOV'f;NNPV!a0E@8@@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f66a0PV!EH(6}X56V'fJJPV!a0E<B@@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f^66a0PV!EH(\4T5GJEV'f<_NNPV!a0E@\@@.
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f66a0PV!EH(w5S5EV'fNNPV!a0E@_@@.
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'fD66a0PV!EH(3U5EV'ftENNPV!a0E@@@.
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f*66a0PV!EH(5S5EV'fNNPV!a0E@@@.
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'fPx66a0PV!EH(4Tc5EV'fqyJJPV!a0E<B@@.nFXl5~V'fEr66a0PV!E((
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'fC66a0PV!E((485mV'f{DNNPV!a0E@V@@..=5,9.
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f66a0PV!E((575=8V'fNNPV!a0E@a@@..!5,i.
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f66a0PV!E((%475!TV'fHNNPV!a0E@q@@.. 5,Q.
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f3V66a0PV!E((/565 UV'fVNNPV!a0E@w@@..d5,~.
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'fG66a0PV!E((6565dV'fJJPV!a0E<p@@.@F}^3!V'f66a0PV!E((@0F}^PI.'fUUPV!a0EGrw@@=153%?sexsecure-cyber-.ecurityV'f56UUa0PV!EHG=3-=513/?sexsecure-cyber-securityV.f6UUPV!a0EGr@@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f;NNPV!a0E@5@@^ru5,usiegheilhitersusV'fBNN
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fBNNPV!a0E@@@0^r5,LusiegheilhitersusV'fBB
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fBBPV!a0E4@@}9H ``veCIPV'f%QNNPV!a0.E@\|@
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'f;`NNPV!a0E@@@c^r5,cusiegheilhitersusV'fnJJ
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.V'fnJJPV!a0E<ld@@LF\|(V'fti66a
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f66a0PV!E((23;5SV'fNNPV!a0E@].@@D^3;L5,5kzadolfhitlersunV'fVt66a0PV!E(('
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'fVt66a0PV!E(('23;5LV'fvNNPV!a0E@].@@DA3;5,6kzadolfhitlersunV'fc66a0PV!E((L2a3;5ou
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'fc66a0PV!E((L2a3;5ouV'f:NNPV!a0E@]
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'fXb66a0PV!E((q2<3;5DV'fBcNNPV!a0E@]
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.V'f=66a0PV!E((2+3;5SpV'fJJPV!a0E<
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f(66a0PV!E((/E-3M56+mV'f*VVPV!a0EHUr@@.3M54c+msexsecure-cyber-securitysV'f66a0PV!.E((
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f66a0PV!E((/E#3M5+mV'f&VVPV!a0EHUx@@.3M54r+msexsecure-cyber-securitysV'f/X66a0PV!.E((
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f/X66a0PV!E((/E3M5+mV'fYVVPV!a0EHU@@.3M54N+msexsecure-cyber-securitysV'f66a0PV!.E((
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f66a0PV!E((/E3M5A+mV'fVVPV!a0EHU@@.n3Mx542+msexsecure-cyber-securitysV'f(66a0PV!.E((
Source: unknown	DNS traffic detected: query: sex.secure-cyber-security.V'f(66a0PV!E(( /D3M5x+mV'fJJPV!a0E<2@@
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fNNPV!a0E@;@@!5,mkzadolfhitlersunW'fN
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fNNPV!a0E@@@1!5,.mkzadolfhitlersunW'fN
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fNNPV!a0E@@@q5,IImkzadolfhitlersunW'f;N
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'f;NNPV!a0E@@@8P5,mkzadolfhitlersunW'fJ
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.W'fJJPV!a0E<m@@NCF)jBW'f66

Connects to many different domains

Source: unknown

Network traffic detected: DNS query count 48

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.14:54444 -> 212.70.149.14:35342

Sample listens on a socket

Source: /tmp/SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf (PID: 5506)

Socket: 127.0.0.1::8345

Jump to behavior

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254

Source: unknown

DNS traffic detected: queries for: sex.secure-cyber-security

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Sample tries to kill a process (SIGKILL)

Source: /tmp/SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf (PID: 5512)

SIGKILL sent: pid: 888, result: successful

Jump to behavior

Source: classification engine

Classification label: mal64.troj.evad.linELF@0/0@76/0

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5488)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.RPy1iTl5xo /tmp/tmp.VOkGWvI04c /tmp/tmp.pAxIvNGzLh			Jump to behavior
Source: /usr/bin/dash (PID: 5498)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.RPy1iTl5xo /tmp/tmp.VOkGWvI04c /tmp/tmp.pAxIvNGzLh			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf (PID: 5506)

File: /tmp/SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf

Jump to behavior

ELF contains segments with high entropy indicating compressed/encrypted content

Source: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf	Submission file: segment LOAD with 7.8835 entropy (max. 8.0)
Source: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf	Submission file: segment LOAD with 7.9779 entropy (max. 8.0)

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf (PID: 5506)

Queries kernel information via 'uname':

Jump to behavior

Source: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf, 5506.1.0000556553eb8000.0000556554029000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf, 5506.1.00007ffe945a5000.00007ffe945c6000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf, 5506.1.0000556553eb8000.0000556554029000.rw-.sdmp	Binary or memory string: SeU!/etc/qemu-binfmt/arm
Source: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf, 5506.1.00007ffe945a5000.00007ffe945c6000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf PID: 5506, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf PID: 5506, type: MEMORYSTR

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.70.149.14	unknown	Bulgaria		208410	INTERNET-HOSTINGBG	false
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Contacted Domains

Name	IP	Active
siegheil.hiter.su.V'fu66a0PV!EH(W6}5WV'fNNPV!a0E@7@@	unknown	unknown
kz.adolfhitler.su.V'f*66a0PV!EH(5S5EV'fNNPV!a0E@@@.	unknown	unknown
siegheil.hiter.su.V'ff66a0PV!EH(}37\|=5t=V'fNNPV!a0E@ic@@.=j5,gq=	unknown	unknown
kz.adolfhitler.su.V'f66a0PV!E((L2a3;5>u)V'fNNPV!a0E@Q@@.3;5,)kzadolfhitlersusV'f366a0PV!.E((]2P3;.52)	unknown	unknown
kz.adolfhitler.su.V'fXb66a0PV!E((q2<3;5DV'fBcNNPV!a0E@]	unknown	unknown
kz.adolfhitler.su.V'fG66a0PV!E((6565dV'fJJPV!a0E<p@@.@F}^3!V'f66a0PV!E((@0F}^PI.'fUUPV!a0EGrw@@=153%?sexsecure-cyber-.ecurityV'f56UUa0PV!EHG=3-=513/?sexsecure-cyber-securityV.f6UUPV!a0EGr@@	unknown	unknown
sex.secure-cyber-security.V'f66a0PV!E((/E3M5A+mV'fVVPV!a0EHU@@.n3Mx542+msexsecure-cyber-securitysV'f(66a0PV!.E((	unknown	unknown
siegheil.hiter.su.V'f66a0PV!EH({37~=5 =V'fNNPV!a0E@i@@@.=t5,`g=	unknown	unknown
siegheil.hiter.su.V'f#>66a0PV!EH(m37=5=V'f>NNPV!a0E@i7@@.=5,=	unknown	unknown
siegheil.hiter.su.V'fqh66a0PV!EH(E28=5v=V'fiNNPV!a0E@i@@.=5,R=..siegheil.hiter.su.V'f#>66a0PV!EH(m37=5=V'f>NNPV!a0E@i7@@.=5,=	unknown	unknown
kz.adolfhitler.su.V'f66a0PV!E((%475!TV'fHNNPV!a0E@q@@.. 5,Q.	unknown	unknown
sex.secure-cyber-security.V'f(66a0PV!E((/E-3M56+mV'f*VVPV!a0EHUr@@.3M54c+msexsecure-cyber-securitysV'f66a0PV!.E((	unknown	unknown
siegheil.hiter.su.V'fo66a0PV!EH(28i=5j=V'fyJJPV!a0E<@@.FNIXV'fr.66	unknown	unknown
kz.adolfhitler.su.V'f66a0PV!E((23;5SV'fNNPV!a0E@].@@D^3;L5,5kzadolfhitlersunV'fVt66a0PV!E(('	unknown	unknown
kz.adolfhitler.su.W'f;NNPV!a0E@@@8P5,mkzadolfhitlersunW'fJ	unknown	unknown
kz.adolfhitler.su.V'f^66a0PV!EH(\4T5GJEV'f<_NNPV!a0E@\@@.	unknown	unknown
kz.adolfhitler.su.V'f366a0PV!E((23;5%)V'fNNPV!a0E@QU@@.h3;5,f)kzadolfhitlersusV'f66a0PV!.E(($23;.5+)	unknown	unknown
kz.adolfhitler.su.V'fc66a0PV!E((L2a3;5ouV'f:NNPV!a0E@]	unknown	unknown
kz.adolfhitler.su.V'ft66a0PV!E((o2>3;5#))V'fJJPV!a0E<@@.F\|~XV'fz66a0PV!.E((@	unknown	unknown
siegheil.hiter.su.V'f:66a0PV!EH(6}w5KOV'f;NNPV!a0E@8@@	unknown	unknown
siegheil.hiter.su.V'f;NNPV!a0E@5@@^ru5,usiegheilhitersusV'fBNN	unknown	unknown
siegheil.hiter.su.V'f;`NNPV!a0E@@@c^r5,cusiegheilhitersusV'fnJJ	unknown	unknown
siegheil.hiter.su.V'f[66a0PV!EH(\6}5=[V'f^\NNPV!a0E@7@@	unknown	unknown
kz.adolfhitler.su.W'fNNPV!a0E@@@q5,IImkzadolfhitlersunW'f;N	unknown	unknown
kz.adolfhitler.su.V'f66a0PV!E((575=8V'fNNPV!a0E@a@@..!5,i.	unknown	unknown
siegheil.hiter.su.V'fnJJPV!a0E<ld@@LF\|(V'fti66a	unknown	unknown
sex.secure-cyber-security.V'f66a0PV!E((/E#3M5+mV'f&VVPV!a0EHUx@@.3M54r+msexsecure-cyber-securitysV'f/X66a0PV!.E((	unknown	unknown
kz.adolfhitler.su.W'fJJPV!a0E<m@@NCF)jBW'f66	unknown	unknown
kz.adolfhitler.su.V'fC66a0PV!E((485mV'f{DNNPV!a0E@V@@..=5,9.	unknown	unknown
security.rebirth-network.su	unknown	unknown
kz.adolfhitler.su.V'fD66a0PV!EH(3U5EV'ftENNPV!a0E@@@.	unknown	unknown
kz.adolfhitler.su.V'f66a0PV!E(($23;5+)V'f!NNPV!a0E@Q}@@.@3;>5,n6)kzadolfhitlersusV'f66a0PV!.E((L2a3;.5>u)	unknown	unknown
kz.adolfhitler.su.V'f66a0PV!EH(w5S5EV'fNNPV!a0E@_@@.	unknown	unknown
sex.secure-cyber-security.V'f/X66a0PV!E((/E3M5+mV'fYVVPV!a0EHU@@.3M54N+msexsecure-cyber-securitysV'f66a0PV!.E((	unknown	unknown
siegheil.hiter.su.V'f66a0PV!EH(6}X56V'fJJPV!a0E<B@@	unknown	unknown
kz.adolfhitler.su.V'fPx66a0PV!EH(4Tc5EV'fqyJJPV!a0E<B@@.nFXl5~V'fEr66a0PV!E((	unknown	unknown
sex.secure-cyber-security.V'f(66a0PV!E(( /D3M5x+mV'fJJPV!a0E<2@@	unknown	unknown
security.rebirth-network.su.	unknown	unknown
kz.adolfhitler.su.V'fVt66a0PV!E(('23;5LV'fvNNPV!a0E@].@@DA3;5,6kzadolfhitlersunV'fc66a0PV!E((L2a3;5ou	unknown	unknown
kz.adolfhitler.su.W'fNNPV!a0E@;@@!5,mkzadolfhitlersunW'fN	unknown	unknown
kz.adolfhitler.su.V'f3V66a0PV!E((/565 UV'fVNNPV!a0E@w@@..d5,~.	unknown	unknown
siegheil.hiter.su.V'fBBPV!a0E4@@}9H ``veCIPV'f%QNNPV!a0.E@\|@	unknown	unknown
sex.secure-cyber-security	unknown	unknown
siegheil.hiter.su.V'f66a0PV!EH(}6}{5N\V'f+NNPV!a0E@7@@	unknown	unknown
kz.adolfhitler.su.V'f=66a0PV!E((2+3;5SpV'fJJPV!a0E<	unknown	unknown
kz.adolfhitler.su.W'fNNPV!a0E@@@1!5,.mkzadolfhitlersunW'fN	unknown	unknown
kz.adolfhitler.su.V'f366a0PV!E((]2P3;52)V'f4NNPV!a0E@Q@@.3;5,)kzadolfhitlersusV'ft66a0PV!.E((o2>3;.5#))	unknown	unknown
siegheil.hiter.su.V'fBNNPV!a0E@@@0^r5,LusiegheilhitersusV'fBB	unknown	unknown

ID:	1430165
Product:	CloudBasic
Start time:	08:34:37
Start date:	23.04.2024
Sample:	SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	55caac50c41205377ba38c44d268cb7f
SHA1:	5c95ce4b9de9d57cfa3b6c9622a7f6e882885c4b
SHA256:	2932daa36ba6b8eebed723b1549d85673811a4abeb41f9bc37cc02569811e10e
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
SecuriteInfo.com.Linux.Mirai.8362.8829.19078.elf

Malware Threat Intel
Provided by