Linux Analysis Report
EwFT3M4fD1.elf

Overview

General Information

Sample name: EwFT3M4fD1.elf
renamed because original name is a hash value
Original sample name: a7c948a107a9d73c3b65c630bdf6fd51.elf
Analysis ID: 1432069
MD5: a7c948a107a9d73c3b65c630bdf6fd51
SHA1: d966dfd3099d11976f796d82bc2ca6d3208dcb9f
SHA256: 76496f9bf9b3bdf9c82b3a384b2e0a50c2eb8f146cbcc79fb134a77e11bb594e
Tags: 32elfintelmirai
Infos:

Detection

Okiru
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Okiru
Machine Learning detection for sample
Reads CPU information from /proc indicative of miner or evasive malware
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: EwFT3M4fD1.elf ReversingLabs: Detection: 28%
Source: EwFT3M4fD1.elf Virustotal: Detection: 21% Perma Link
Machine Learning detection for sample
Source: EwFT3M4fD1.elf Joe Sandbox ML: detected
Reads CPU information from /proc indicative of miner or evasive malware
Source: /tmp/EwFT3M4fD1.elf (PID: 5531) Reads CPU info from proc file: /proc/cpuinfo Jump to behavior
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: EwFT3M4fD1.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_aa39fb02 Author: unknown
Source: EwFT3M4fD1.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: EwFT3M4fD1.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_d18b3463 Author: unknown
Source: EwFT3M4fD1.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_aa39fb02 Author: unknown
Source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_d18b3463 Author: unknown
Source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_aa39fb02 Author: unknown
Source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_d18b3463 Author: unknown
Source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_aa39fb02 Author: unknown
Source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_d18b3463 Author: unknown
Source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /proc/proc/%s/exe/var/Challenge/app/hi3511/gmDVR/ibox/usr/dvr_main _8182T_1108/mnt/mtd/app/gui/var/Kylin/l0 c/udevd/var/tmp/sonia/hicore/stm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/shell/mnt//sys//boot//media//srv//var/run//sbin//lib//etc//dev//home/Davinci/telnet/ssh/var/spool/var/Sofia/sshd/usr/compress/bin//compress/bin/compress/usr//bash/httpd/telnetd/dropbear/ropbear/encoder/system/root/dvr_gui//root/dvr_app//anko-app//opt//softbot.arm/softbot.arm6/softbot.dbg/softbot.mpsl/softbot.x86/softbot.arm5/softbot.arm7/softbot.mips/softbot.sh4/bin/sh/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-server
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/EwFT3M4fD1.elf (PID: 5529) SIGKILL sent: pid: 5531, result: successful Jump to behavior
Yara signature match
Source: EwFT3M4fD1.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_aa39fb02 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b136ba6496816ba9737a3eb0e633c28a337511a97505f06e52f37b38599587cb, id = aa39fb02-ca7e-4809-ab5d-00e92763f7ec, last_modified = 2021-09-16
Source: EwFT3M4fD1.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: EwFT3M4fD1.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_d18b3463 reference_sample = cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4b3d3bb65db2cdb768d91c50928081780f206208e952c74f191d8bc481ce19c6, id = d18b3463-1b5e-49e1-9ae8-1d63a10a1ccc, last_modified = 2021-09-16
Source: EwFT3M4fD1.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_aa39fb02 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b136ba6496816ba9737a3eb0e633c28a337511a97505f06e52f37b38599587cb, id = aa39fb02-ca7e-4809-ab5d-00e92763f7ec, last_modified = 2021-09-16
Source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_d18b3463 reference_sample = cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4b3d3bb65db2cdb768d91c50928081780f206208e952c74f191d8bc481ce19c6, id = d18b3463-1b5e-49e1-9ae8-1d63a10a1ccc, last_modified = 2021-09-16
Source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_aa39fb02 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b136ba6496816ba9737a3eb0e633c28a337511a97505f06e52f37b38599587cb, id = aa39fb02-ca7e-4809-ab5d-00e92763f7ec, last_modified = 2021-09-16
Source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_d18b3463 reference_sample = cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4b3d3bb65db2cdb768d91c50928081780f206208e952c74f191d8bc481ce19c6, id = d18b3463-1b5e-49e1-9ae8-1d63a10a1ccc, last_modified = 2021-09-16
Source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_aa39fb02 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b136ba6496816ba9737a3eb0e633c28a337511a97505f06e52f37b38599587cb, id = aa39fb02-ca7e-4809-ab5d-00e92763f7ec, last_modified = 2021-09-16
Source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_d18b3463 reference_sample = cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4b3d3bb65db2cdb768d91c50928081780f206208e952c74f191d8bc481ce19c6, id = d18b3463-1b5e-49e1-9ae8-1d63a10a1ccc, last_modified = 2021-09-16
Source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: classification engine Classification label: mal68.troj.linELF@0/0@2/0
Reads system information from the proc file system
Source: /tmp/EwFT3M4fD1.elf (PID: 5531) Reads from proc file: /proc/cpuinfo Jump to behavior
Reads CPU information from /proc indicative of miner or evasive malware
Source: /tmp/EwFT3M4fD1.elf (PID: 5531) Reads CPU info from proc file: /proc/cpuinfo Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Okiru
Source: Yara match File source: EwFT3M4fD1.elf, type: SAMPLE
Source: Yara match File source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EwFT3M4fD1.elf PID: 5528, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EwFT3M4fD1.elf PID: 5530, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EwFT3M4fD1.elf PID: 5531, type: MEMORYSTR
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0

Remote Access Functionality
barindex
Yara detected Okiru
Source: Yara match File source: EwFT3M4fD1.elf, type: SAMPLE
Source: Yara match File source: 5531.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5528.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5530.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EwFT3M4fD1.elf PID: 5528, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EwFT3M4fD1.elf PID: 5530, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EwFT3M4fD1.elf PID: 5531, type: MEMORYSTR
windows-stand
No contacted IP infos

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true