Linux Analysis Report
RJ93lr3oq2.elf

ID:	1431963
Product:	CloudBasic
Start time:	04:56:08
Start date:	26.04.2024
Sample:	RJ93lr3oq2.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	9363e31f6a3cc4562b85a88d51cb4aa6
SHA1:	4636d64fab27064aaf165844fb8cd9a0c9bcb917
SHA256:	c401fb37ba661c8e0806530b55de040743048d23035be6694b841c9c69a427ab
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: RJ93lr3oq2.elf

Virustotal: Detection: 23%

Perma Link

Source: RJ93lr3oq2.elf

Joe Sandbox ML: detected

Bitcoin Miner

Source: /tmp/RJ93lr3oq2.elf (PID: 5438)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Networking

Source: global traffic

TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary

Source: RJ93lr3oq2.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_aa39fb02 Author: unknown
Source: RJ93lr3oq2.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: RJ93lr3oq2.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_d18b3463 Author: unknown
Source: RJ93lr3oq2.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_aa39fb02 Author: unknown
Source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_d18b3463 Author: unknown
Source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_aa39fb02 Author: unknown
Source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_d18b3463 Author: unknown
Source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_aa39fb02 Author: unknown
Source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_d18b3463 Author: unknown
Source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown

Source: Initial sample

String containing 'busybox' found: /bin/busybox

Source: Initial sample

String containing 'busybox' found: /proc/proc/%s/exe/var/Challenge/app/hi3511/gmDVR/ibox/usr/dvr_main _8182T_1108/mnt/mtd/app/gui/var/Kylin/l0 c/udevd/var/tmp/sonia/hicore/stm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/shell/mnt//sys//boot//media//srv//var/run//sbin//lib//etc//dev//home/Davinci/telnet/ssh/var/spool/var/Sofia/sshd/usr/compress/bin//compress/bin/compress/usr//bash/httpd/telnetd/dropbear/ropbear/encoder/system/root/dvr_gui//root/dvr_app//anko-app//opt//softbot.arm/softbot.arm6/softbot.dbg/softbot.mpsl/softbot.x86/softbot.arm5/softbot.arm7/softbot.mips/softbot.sh4/bin/sh/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-server3s

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/RJ93lr3oq2.elf (PID: 5436)

SIGKILL sent: pid: 5438, result: successful

Jump to behavior

Source: RJ93lr3oq2.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_aa39fb02 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b136ba6496816ba9737a3eb0e633c28a337511a97505f06e52f37b38599587cb, id = aa39fb02-ca7e-4809-ab5d-00e92763f7ec, last_modified = 2021-09-16
Source: RJ93lr3oq2.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: RJ93lr3oq2.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_d18b3463 reference_sample = cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4b3d3bb65db2cdb768d91c50928081780f206208e952c74f191d8bc481ce19c6, id = d18b3463-1b5e-49e1-9ae8-1d63a10a1ccc, last_modified = 2021-09-16
Source: RJ93lr3oq2.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_aa39fb02 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b136ba6496816ba9737a3eb0e633c28a337511a97505f06e52f37b38599587cb, id = aa39fb02-ca7e-4809-ab5d-00e92763f7ec, last_modified = 2021-09-16
Source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_d18b3463 reference_sample = cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4b3d3bb65db2cdb768d91c50928081780f206208e952c74f191d8bc481ce19c6, id = d18b3463-1b5e-49e1-9ae8-1d63a10a1ccc, last_modified = 2021-09-16
Source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_aa39fb02 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b136ba6496816ba9737a3eb0e633c28a337511a97505f06e52f37b38599587cb, id = aa39fb02-ca7e-4809-ab5d-00e92763f7ec, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_d18b3463 reference_sample = cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4b3d3bb65db2cdb768d91c50928081780f206208e952c74f191d8bc481ce19c6, id = d18b3463-1b5e-49e1-9ae8-1d63a10a1ccc, last_modified = 2021-09-16
Source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_aa39fb02 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b136ba6496816ba9737a3eb0e633c28a337511a97505f06e52f37b38599587cb, id = aa39fb02-ca7e-4809-ab5d-00e92763f7ec, last_modified = 2021-09-16
Source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_d18b3463 reference_sample = cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4b3d3bb65db2cdb768d91c50928081780f206208e952c74f191d8bc481ce19c6, id = d18b3463-1b5e-49e1-9ae8-1d63a10a1ccc, last_modified = 2021-09-16
Source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26

Source: classification engine

Classification label: mal68.troj.linELF@0/0@2/0

Persistence and Installation Behavior

Source: /tmp/RJ93lr3oq2.elf (PID: 5438)

Reads from proc file: /proc/cpuinfo

Jump to behavior

Malware Analysis System Evasion

Source: /tmp/RJ93lr3oq2.elf (PID: 5438)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: RJ93lr3oq2.elf, type: SAMPLE
Source: Yara match	File source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RJ93lr3oq2.elf PID: 5435, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RJ93lr3oq2.elf PID: 5437, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RJ93lr3oq2.elf PID: 5438, type: MEMORYSTR

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0

Remote Access Functionality

Source: Yara match	File source: RJ93lr3oq2.elf, type: SAMPLE
Source: Yara match	File source: 5435.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5438.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RJ93lr3oq2.elf PID: 5435, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RJ93lr3oq2.elf PID: 5437, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RJ93lr3oq2.elf PID: 5438, type: MEMORYSTR