Linux Analysis Report
kWVY0Rqmlx.elf

Overview

General Information

Sample name: kWVY0Rqmlx.elf
renamed because original name is a hash value
Original sample name: 89a3962a4218572b4bc0e978afd529cc.elf
Analysis ID: 1432066
MD5: 89a3962a4218572b4bc0e978afd529cc
SHA1: 76dea3d1a1aef7a9fef2985ffc627b54f53e785b
SHA256: 0ae749a5ecfe43e848a079f3d966edf57e1d1e2df5d8cce37eb8d0b71d368748
Tags: 32elfmipsmirai
Infos:

Detection

Okiru
Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Okiru
Detected TCP or UDP traffic on non-standard ports
Reads CPU information from /proc indicative of miner or evasive malware
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: kWVY0Rqmlx.elf ReversingLabs: Detection: 13%
Source: kWVY0Rqmlx.elf Virustotal: Detection: 24% Perma Link
Reads CPU information from /proc indicative of miner or evasive malware
Source: /tmp/kWVY0Rqmlx.elf (PID: 5412) Reads CPU info from proc file: /proc/cpuinfo Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:39284 -> 80.182.142.45:5900
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown TCP traffic detected without corresponding DNS query: 80.182.142.45
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /proc/proc/%s/exe/var/Challenge/app/hi3511/gmDVR/ibox/usr/dvr_main _8182T_1108/mnt/mtd/app/gui/var/Kylin/l0 c/udevd/anko-app/ankosample _8182T_1104/var/tmp/sonia/hicore/stm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-server/usr//shell/mnt//sys//bin//boot//media//srv//var/run//sbin//lib//etc//dev//home/Davinci/telnet/ssh/var/spool/var/Sofia/sshd/usr/compress/bin//compress/bin/compress/usr//bash/httpd/telnetd/dropbear/ropbear/encoder/system/root/dvr_gui//root/dvr_app//anko-app//opt//softbot.arm/softbot.arm6/softbot.dbg/softbot.mpsl/softbot.x86/softbot.arm5/softbot.arm7/softbot.mips/softbot.sh4softbot.armsoftbot.arm6softbot.dbgsoftbot.mpslsoftbot.x86softbot.arm5softbot.arm7softbot.mipssoftbot.sh4/bin/sh8.8.8.8murderwaswrote
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal56.troj.linELF@0/0@2/0
Reads system information from the proc file system
Source: /tmp/kWVY0Rqmlx.elf (PID: 5412) Reads from proc file: /proc/cpuinfo Jump to behavior
Source: /tmp/kWVY0Rqmlx.elf (PID: 5412) Reads from proc file: /proc/meminfo Jump to behavior
Reads CPU information from /proc indicative of miner or evasive malware
Source: /tmp/kWVY0Rqmlx.elf (PID: 5412) Reads CPU info from proc file: /proc/cpuinfo Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/kWVY0Rqmlx.elf (PID: 5406) Queries kernel information via 'uname': Jump to behavior
Source: kWVY0Rqmlx.elf, 5406.1.000055c48b310000.000055c48b397000.rw-.sdmp, kWVY0Rqmlx.elf, 5410.1.000055c48b310000.000055c48b397000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mips
Source: kWVY0Rqmlx.elf, 5406.1.000055c48b310000.000055c48b397000.rw-.sdmp, kWVY0Rqmlx.elf, 5410.1.000055c48b310000.000055c48b397000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: kWVY0Rqmlx.elf, 5406.1.00007ffe4805e000.00007ffe4807f000.rw-.sdmp, kWVY0Rqmlx.elf, 5410.1.00007ffe4805e000.00007ffe4807f000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/kWVY0Rqmlx.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/kWVY0Rqmlx.elf
Source: kWVY0Rqmlx.elf, 5406.1.00007ffe4805e000.00007ffe4807f000.rw-.sdmp, kWVY0Rqmlx.elf, 5410.1.00007ffe4805e000.00007ffe4807f000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips

Stealing of Sensitive Information
barindex
Yara detected Okiru
Source: Yara match File source: kWVY0Rqmlx.elf, type: SAMPLE
Source: Yara match File source: 5410.1.00007f1234400000.00007f1234428000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5406.1.00007f1234400000.00007f1234428000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kWVY0Rqmlx.elf PID: 5406, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kWVY0Rqmlx.elf PID: 5410, type: MEMORYSTR
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0

Remote Access Functionality
barindex
Yara detected Okiru
Source: Yara match File source: kWVY0Rqmlx.elf, type: SAMPLE
Source: Yara match File source: 5410.1.00007f1234400000.00007f1234428000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5406.1.00007f1234400000.00007f1234428000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kWVY0Rqmlx.elf PID: 5406, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kWVY0Rqmlx.elf PID: 5410, type: MEMORYSTR

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
80.182.142.45
 unknown Italy
3269 ASN-IBSNAZIT false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true