Linux Analysis Report
4NnBaAMXoc.elf

Overview

General Information

Sample name: 4NnBaAMXoc.elf
renamed because original name is a hash value
Original sample name: 88b544637baebebd8e3b79de207cdfb5.elf
Analysis ID: 1432399
MD5: 88b544637baebebd8e3b79de207cdfb5
SHA1: 7398ac64a9218278a93307f4f748437f5327c26f
SHA256: d9ff1d4c4dd8b2b46f8ccc7464e589ff486df462f472c3baacb4748702931185
Tags: 32armelfgafgyt
Infos:

Detection

Mirai, Moobot, Okiru
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mirai
Yara detected Moobot
Yara detected Okiru
Sample deletes itself
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Sample and/or dropped files contains symbols with suspicious names
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
Name Description Attribution Blogpost URLs Link
MooBot No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 4NnBaAMXoc.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: 4NnBaAMXoc.elf ReversingLabs: Detection: 65%

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:58840 -> 200.48.94.9:23
Source: Traffic Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:58962 -> 200.48.94.9:23
Source: Traffic Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:44970 -> 119.201.111.138:23
Source: Traffic Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:45196 -> 190.166.153.243:23
Source: Traffic Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:59380 -> 200.48.94.9:23
Source: Traffic Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:59498 -> 200.48.94.9:23
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51838
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51838
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51844
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51866
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51888
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51902
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51922
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51940
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51962
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51972
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51986
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51998
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52006
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52016
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52032
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52046
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52052
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52062
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52070
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52080
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52088
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52094
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52106
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52116
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52128
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52138
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52148
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52162
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36608
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36608
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36618
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36628
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36634
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36644
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36654
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52174
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36664
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52230
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36678
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52242
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36688
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36698
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36704
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36712
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36718
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36724
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36726
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36732
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36736
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36738
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36742
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36744
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36764
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36770
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36780
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36784
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36796
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36802
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36810
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36818
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36824
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36828
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57038
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57038
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57054
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57086
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57096
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57104
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57120
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57132
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57150
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57186
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57206
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:35044 -> 45.131.111.251:59666
Sample listens on a socket
Source: /tmp/4NnBaAMXoc.elf (PID: 5432) Socket: 127.0.0.1::52380 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 126.77.9.252
Source: unknown TCP traffic detected without corresponding DNS query: 31.253.193.253
Source: unknown TCP traffic detected without corresponding DNS query: 159.13.14.252
Source: unknown TCP traffic detected without corresponding DNS query: 167.65.139.177
Source: unknown TCP traffic detected without corresponding DNS query: 194.80.252.237
Source: unknown TCP traffic detected without corresponding DNS query: 114.204.70.186
Source: unknown TCP traffic detected without corresponding DNS query: 211.143.49.145
Source: unknown TCP traffic detected without corresponding DNS query: 44.148.32.21
Source: unknown TCP traffic detected without corresponding DNS query: 95.2.113.2
Source: unknown TCP traffic detected without corresponding DNS query: 132.100.20.225
Source: unknown TCP traffic detected without corresponding DNS query: 94.138.43.139
Source: unknown TCP traffic detected without corresponding DNS query: 139.117.21.132
Source: unknown TCP traffic detected without corresponding DNS query: 78.35.246.66
Source: unknown TCP traffic detected without corresponding DNS query: 132.34.53.147
Source: unknown TCP traffic detected without corresponding DNS query: 192.218.191.149
Source: unknown TCP traffic detected without corresponding DNS query: 216.59.138.161
Source: unknown TCP traffic detected without corresponding DNS query: 48.29.251.66
Source: unknown TCP traffic detected without corresponding DNS query: 65.37.160.55
Source: unknown TCP traffic detected without corresponding DNS query: 199.208.201.35
Source: unknown TCP traffic detected without corresponding DNS query: 197.121.6.246
Source: unknown TCP traffic detected without corresponding DNS query: 134.147.148.40
Source: unknown TCP traffic detected without corresponding DNS query: 73.177.0.251
Source: unknown TCP traffic detected without corresponding DNS query: 35.150.38.131
Source: unknown TCP traffic detected without corresponding DNS query: 164.85.112.42
Source: unknown TCP traffic detected without corresponding DNS query: 156.166.11.131
Source: unknown TCP traffic detected without corresponding DNS query: 135.136.228.183
Source: unknown TCP traffic detected without corresponding DNS query: 156.132.69.108
Source: unknown TCP traffic detected without corresponding DNS query: 131.81.8.185
Source: unknown TCP traffic detected without corresponding DNS query: 155.192.150.61
Source: unknown TCP traffic detected without corresponding DNS query: 32.20.29.239
Source: unknown TCP traffic detected without corresponding DNS query: 62.47.128.5
Source: unknown TCP traffic detected without corresponding DNS query: 61.58.11.140
Source: unknown TCP traffic detected without corresponding DNS query: 25.234.143.203
Source: unknown TCP traffic detected without corresponding DNS query: 81.142.167.72
Source: unknown TCP traffic detected without corresponding DNS query: 200.22.97.97
Source: unknown TCP traffic detected without corresponding DNS query: 139.124.76.37
Source: unknown TCP traffic detected without corresponding DNS query: 17.123.114.211
Source: unknown TCP traffic detected without corresponding DNS query: 109.159.98.169
Source: unknown TCP traffic detected without corresponding DNS query: 171.34.247.52
Source: unknown TCP traffic detected without corresponding DNS query: 122.54.161.6
Source: unknown TCP traffic detected without corresponding DNS query: 161.43.226.20
Source: unknown TCP traffic detected without corresponding DNS query: 79.251.151.138
Source: unknown TCP traffic detected without corresponding DNS query: 171.94.86.123
Source: unknown TCP traffic detected without corresponding DNS query: 190.244.138.155
Source: unknown TCP traffic detected without corresponding DNS query: 54.80.40.185
Source: unknown TCP traffic detected without corresponding DNS query: 94.88.112.37
Source: unknown TCP traffic detected without corresponding DNS query: 2.173.91.32
Source: unknown TCP traffic detected without corresponding DNS query: 153.188.123.74
Source: unknown TCP traffic detected without corresponding DNS query: 156.87.161.187
Source: unknown TCP traffic detected without corresponding DNS query: 150.26.220.23

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4NnBaAMXoc.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 4NnBaAMXoc.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
Source: 5432.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5432.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
Source: 5436.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5436.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
Source: Process Memory Space: 4NnBaAMXoc.elf PID: 5432, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 4NnBaAMXoc.elf PID: 5436, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Sample and/or dropped files contains symbols with suspicious names
Source: 4NnBaAMXoc.elf ELF static info symbol of initial sample: __gnu_unwind_execute
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spoolsshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
Yara signature match
Source: 4NnBaAMXoc.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 4NnBaAMXoc.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
Source: 5432.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5432.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
Source: 5436.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5436.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
Source: Process Memory Space: 4NnBaAMXoc.elf PID: 5432, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 4NnBaAMXoc.elf PID: 5436, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engine Classification label: mal100.troj.evad.linELF@0/0@0/0

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/4NnBaAMXoc.elf (PID: 5432) File: /tmp/4NnBaAMXoc.elf Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51838
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51838
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51844
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51866
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51888
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51902
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51922
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51940
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51962
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51972
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51986
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51998
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52006
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52016
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52032
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52046
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52052
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52062
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52070
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52080
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52088
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52094
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52106
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52116
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52128
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52138
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52148
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52162
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36608
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36608
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36618
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36628
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36634
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36644
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36654
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52174
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36664
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52230
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36678
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 52242
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36688
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36698
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36704
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36712
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36718
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36724
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36726
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36732
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36736
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36738
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36742
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36744
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36764
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36770
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36780
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36784
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36796
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36802
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36810
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36818
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36824
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36828
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57038
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57038
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57054
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57086
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57096
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57104
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57120
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57132
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57150
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57186
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57206
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/4NnBaAMXoc.elf (PID: 5432) Queries kernel information via 'uname': Jump to behavior
Source: 4NnBaAMXoc.elf, 5432.1.0000564a561fc000.0000564a5634d000.rw-.sdmp, 4NnBaAMXoc.elf, 5436.1.0000564a561fc000.0000564a5632a000.rw-.sdmp Binary or memory string: 3!VJVP5!VJVP2!VJV!/etc/qemu-binfmt/arm
Source: 4NnBaAMXoc.elf, 5432.1.00007ffe4e264000.00007ffe4e285000.rw-.sdmp, 4NnBaAMXoc.elf, 5436.1.00007ffe4e264000.00007ffe4e285000.rw-.sdmp Binary or memory string: Px86_64/usr/bin/qemu-arm/tmp/4NnBaAMXoc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/4NnBaAMXoc.elf
Source: 4NnBaAMXoc.elf, 5432.1.0000564a561fc000.0000564a5634d000.rw-.sdmp, 4NnBaAMXoc.elf, 5436.1.0000564a561fc000.0000564a5632a000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: 4NnBaAMXoc.elf, 5432.1.00007ffe4e264000.00007ffe4e285000.rw-.sdmp, 4NnBaAMXoc.elf, 5436.1.00007ffe4e264000.00007ffe4e285000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 4NnBaAMXoc.elf, type: SAMPLE
Yara detected Moobot
Source: Yara match File source: 4NnBaAMXoc.elf, type: SAMPLE
Source: Yara match File source: 5432.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5436.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4NnBaAMXoc.elf PID: 5432, type: MEMORYSTR
Yara detected Okiru
Source: Yara match File source: 4NnBaAMXoc.elf, type: SAMPLE
Source: Yara match File source: 5432.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5436.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4NnBaAMXoc.elf PID: 5432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4NnBaAMXoc.elf PID: 5436, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 4NnBaAMXoc.elf, type: SAMPLE
Yara detected Moobot
Source: Yara match File source: 4NnBaAMXoc.elf, type: SAMPLE
Source: Yara match File source: 5432.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5436.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4NnBaAMXoc.elf PID: 5432, type: MEMORYSTR
Yara detected Okiru
Source: Yara match File source: 4NnBaAMXoc.elf, type: SAMPLE
Source: Yara match File source: 5432.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5436.1.00007f349c017000.00007f349c034000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4NnBaAMXoc.elf PID: 5432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4NnBaAMXoc.elf PID: 5436, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.177.220.114
 unknown Italy
31034 ARUBA-ASNIT false
111.208.153.53
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
132.157.161.37
 unknown Peru
21575 ENTELPERUSAPE false
128.234.210.59
 unknown Saudi Arabia
25019 SAUDINETSTC-ASSA false
122.67.217.154
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
92.114.152.109
 unknown Moldova Republic of
8926 MOLDTELECOM-ASMoldtelecomAutonomousSystemMD false
134.9.69.13
 unknown United States
44 S1-DOMAINUS false
207.218.162.80
 unknown United States
30452 FIRST-NATIONAL-TECHNOLOGY-SOLUTONSUS false
129.181.77.36
 unknown France
3215 FranceTelecom-OrangeFR false
122.251.58.167
 unknown Japan 18077 C-ABLEYamaguchiCableVisionCoLtdJP false
183.155.150.48
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
101.6.117.97
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
149.148.16.120
 unknown Austria
2494 MUWNETMUWNETAutonomousSystemAT false
39.235.29.217
 unknown Indonesia
23693 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID false
204.65.57.192
 unknown United States
1761 TDIR-CAPNETUS false
99.161.94.33
 unknown United States
7018 ATT-INTERNET4US false
205.64.17.200
 unknown United States
647 DNIC-ASBLK-00616-00665US false
151.108.246.75
 unknown United States
1218 NCUBE-BELMONT-ASUS false
43.166.243.12
 unknown Japan 4249 LILLY-ASUS false
81.116.75.53
 unknown Italy
20959 TELECOM-ITALIA-DATA-COMIT false
14.73.4.159
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
159.234.113.124
 unknown United States
13188 TRIOLANUA false
130.87.155.213
 unknown Japan 2505 HEPNET-JHighEnergyAcceleratorResearchOrganizationKEK false
144.227.128.149
 unknown United States
1239 SPRINTLINKUS false
135.33.140.72
 unknown United States
54614 CIKTELECOM-CABLECA false
129.152.255.125
 unknown United States
4192 STORTEK-INTUS false
83.19.240.26
 unknown Poland
5617 TPNETPL false
62.154.235.97
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
200.55.101.89
 unknown Argentina
10481 TelecomArgentinaSAAR false
59.173.103.118
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
98.251.203.208
 unknown United States
7922 COMCAST-7922US false
167.190.183.235
 unknown United States
15071 BAX-BGPUS false
119.124.251.48
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
129.234.12.116
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
161.247.28.129
 unknown United States
26539 GIANT-FOOD-INCUS false
89.146.239.53
 unknown Germany
8495 INTERNET_AGFrankfurt-Munich-Stuttgart-Amsterdam-LondonDE false
68.190.72.164
 unknown United States
20115 CHARTER-20115US false
198.224.1.94
 unknown United States
292 ESNET-WESTUS false
190.108.4.21
 unknown Uruguay
20255 TecnowindSAUY false
78.80.34.170
 unknown Czech Republic
13036 TMOBILE-CZ false
61.210.241.235
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP false
128.41.12.134
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
149.123.129.9
 unknown United States
174 COGENT-174US false
123.128.129.80
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
201.175.165.99
 unknown Mexico
28469 ATTCOMUNICACIONESDIGITALESSDERLMX false
206.247.181.143
 unknown United States
27258 KAMOPOWERUS false
72.0.222.122
 unknown Canada
26198 NETRIUM-NETWORKSCA false
126.38.44.44
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
223.253.202.111
 unknown Korea Republic of
9842 LDCC-ASLotteDataCommunicationCompanyKR false
197.132.31.215
 unknown Egypt
24835 RAYA-ASEG false
25.10.228.137
 unknown United Kingdom
7922 COMCAST-7922US false
141.72.74.28
 unknown Germany
553 BELWUEBelWue-KoordinationEU false
2.35.144.43
 unknown Italy
30722 VODAFONE-IT-ASNIT false
155.80.240.151
 unknown United States
4010 DNIC-AS-04010US false
70.181.142.32
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
52.62.245.238
 unknown United States
16509 AMAZON-02US false
54.73.61.199
 unknown United States
16509 AMAZON-02US false
116.180.38.199
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false
17.139.169.50
 unknown United States
714 APPLE-ENGINEERINGUS false
167.216.12.47
 unknown United States
10348 HTDCUS false
89.247.153.200
 unknown Germany
8881 VERSATELDE false
31.112.58.61
 unknown United Kingdom
12576 EELtdGB false
218.22.250.146
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
70.45.251.111
 unknown Puerto Rico
14638 LCPRLUS false
84.53.35.244
 unknown Norway
2119 TELENOR-NEXTELTelenorNorgeASNO false
106.94.46.102
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
176.201.231.31
 unknown Italy
16232 ASN-TIMServiceProviderIT false
47.222.230.119
 unknown United States
19108 SUDDENLINK-COMMUNICATIONSUS false
81.43.97.190
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
211.206.37.58
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
35.147.129.105
 unknown United States
394141 ROCKET-FIBERUS false
5.218.125.71
 unknown Iran (ISLAMIC Republic Of)
197207 MCCI-ASIR false
51.115.202.74
 unknown United Kingdom
2686 ATGS-MMD-ASUS false
35.152.84.43
 unknown United States
16509 AMAZON-02US false
197.104.91.109
 unknown South Africa
37168 CELL-CZA false
13.151.196.78
 unknown United States
7018 ATT-INTERNET4US false
114.96.191.56
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
57.176.22.156
 unknown Belgium
2686 ATGS-MMD-ASUS false
188.109.86.237
 unknown Germany
3209 VODANETInternationalIP-BackboneofVodafoneDE false
75.27.35.131
 unknown United States
7018 ATT-INTERNET4US false
192.69.212.43
 unknown United States
18450 WEBNXUS false
141.129.135.66
 unknown United States
16988 IPAPERUS false
203.16.141.204
 unknown Australia
7474 OPTUSCOM-AS01-AUSingTelOptusPtyLtdAU false
198.12.122.143
 unknown United States
36352 AS-COLOCROSSINGUS false
115.168.76.137
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false
51.239.108.137
 unknown United Kingdom
2686 ATGS-MMD-ASUS false
49.241.91.184
 unknown Japan 10013 FBDCFreeBitCoLtdJP false
217.182.47.92
 unknown France
16276 OVHFR false
123.123.209.151
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
99.99.180.209
 unknown United States
7018 ATT-INTERNET4US false
49.88.41.220
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
137.180.41.128
 unknown United States
11003 PANDGUS false
46.2.75.151
 unknown Turkey
8386 KOCNETTR false
156.216.67.13
 unknown Egypt
8452 TE-ASTE-ASEG false
109.152.128.47
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
140.122.135.98
 unknown Taiwan; Republic of China (ROC)
38844 NTNU-TWNationalTaiwanNormalUniversityTW false
178.117.71.48
 unknown Belgium
6848 TELENET-ASBE false
39.226.157.140
 unknown Indonesia
23693 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID false
190.223.54.15
 unknown Peru
12252 AmericaMovilPeruSACPE false
123.155.244.38
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false