Linux Analysis Report
LfI5pQnZBu.elf

Overview

General Information

Sample name: LfI5pQnZBu.elf
renamed because original name is a hash value
Original sample name: 3387ddf6e158c3af42d722ba79e50171.elf
Analysis ID: 1433176
MD5: 3387ddf6e158c3af42d722ba79e50171
SHA1: ea01830d3504635e310310f9acf0d5e894b4b021
SHA256: fb4e82c3740b45f01ba5c582b0bc556f217005f8b5a1c6555d95e48ec89627e8
Tags: 32elfmipsmirai
Infos:

Detection

Mirai
Score: 84
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LfI5pQnZBu.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: LfI5pQnZBu.elf ReversingLabs: Detection: 42%
Found strings indicative of a multi-platform dropper
Source: LfI5pQnZBu.elf String: /root//tmp//dev//bin//etc//boot//usr//mnt//var//proc/self/exe/cmdlinewgettftpchmodcurl/exe/sbin//snap/76-21;-101-13;

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 60780
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58584
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58590
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58606
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58622
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58636
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58650
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58678
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58714
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58734
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58748
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58748
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33024
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33048
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33062
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33066
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57590
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57592
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57604
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33070
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57618
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57630
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57638
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33120
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57662
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57680
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57702
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57724
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33170
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57816
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57832
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57844
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57926
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57950
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58054
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58074
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58086
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58100
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58116
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36124
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36136
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36142
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36152
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35136
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35144
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36156
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36192
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35160
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36210
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36226
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35196
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36240
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36264
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36240
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35236
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35282
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35308
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35328
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35354
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37338
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37344
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37356
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37372
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37382
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37400
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37420
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37438
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37492
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56062
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56074
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56088
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56096
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56112
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56116
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56124
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56140
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56162
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56184
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51330
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51350
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51376
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51400
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51496
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51532
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45910
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45918
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45932
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45948
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45992
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 46018
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 46042
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 46064
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 46086
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:42734 -> 45.128.232.208:33335
Sample listens on a socket
Source: /tmp/LfI5pQnZBu.elf (PID: 6211) Socket: 127.0.0.1::33337 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 45.128.232.208
Source: unknown TCP traffic detected without corresponding DNS query: 26.79.88.216
Source: unknown TCP traffic detected without corresponding DNS query: 104.193.132.138
Source: unknown TCP traffic detected without corresponding DNS query: 71.148.73.39
Source: unknown TCP traffic detected without corresponding DNS query: 53.189.5.217
Source: unknown TCP traffic detected without corresponding DNS query: 101.255.48.166
Source: unknown TCP traffic detected without corresponding DNS query: 103.161.66.22
Source: unknown TCP traffic detected without corresponding DNS query: 206.231.39.65
Source: unknown TCP traffic detected without corresponding DNS query: 29.143.86.188
Source: unknown TCP traffic detected without corresponding DNS query: 195.94.147.114
Source: unknown TCP traffic detected without corresponding DNS query: 83.224.215.162
Source: unknown TCP traffic detected without corresponding DNS query: 173.245.33.84
Source: unknown TCP traffic detected without corresponding DNS query: 6.233.135.207
Source: unknown TCP traffic detected without corresponding DNS query: 98.112.252.8
Source: unknown TCP traffic detected without corresponding DNS query: 209.234.196.150
Source: unknown TCP traffic detected without corresponding DNS query: 71.245.245.12
Source: unknown TCP traffic detected without corresponding DNS query: 93.231.180.98
Source: unknown TCP traffic detected without corresponding DNS query: 128.142.65.20
Source: unknown TCP traffic detected without corresponding DNS query: 219.239.195.90
Source: unknown TCP traffic detected without corresponding DNS query: 181.145.179.78
Source: unknown TCP traffic detected without corresponding DNS query: 50.120.216.29
Source: unknown TCP traffic detected without corresponding DNS query: 17.38.227.247
Source: unknown TCP traffic detected without corresponding DNS query: 221.176.183.81
Source: unknown TCP traffic detected without corresponding DNS query: 168.217.178.155
Source: unknown TCP traffic detected without corresponding DNS query: 120.49.19.255
Source: unknown TCP traffic detected without corresponding DNS query: 240.3.236.158
Source: unknown TCP traffic detected without corresponding DNS query: 1.236.106.7
Source: unknown TCP traffic detected without corresponding DNS query: 218.161.196.22
Source: unknown TCP traffic detected without corresponding DNS query: 44.27.215.95
Source: unknown TCP traffic detected without corresponding DNS query: 36.236.223.127
Source: unknown TCP traffic detected without corresponding DNS query: 12.192.209.61
Source: unknown TCP traffic detected without corresponding DNS query: 157.54.157.61
Source: unknown TCP traffic detected without corresponding DNS query: 244.236.229.255
Source: unknown TCP traffic detected without corresponding DNS query: 30.11.24.47
Source: unknown TCP traffic detected without corresponding DNS query: 55.255.213.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.56.214.213
Source: unknown TCP traffic detected without corresponding DNS query: 57.195.25.6
Source: unknown TCP traffic detected without corresponding DNS query: 101.7.81.186
Source: unknown TCP traffic detected without corresponding DNS query: 22.224.72.186
Source: unknown TCP traffic detected without corresponding DNS query: 197.139.116.137
Source: unknown TCP traffic detected without corresponding DNS query: 74.44.203.181
Source: unknown TCP traffic detected without corresponding DNS query: 102.11.254.160
Source: unknown TCP traffic detected without corresponding DNS query: 242.97.113.107
Source: unknown TCP traffic detected without corresponding DNS query: 174.97.135.155
Source: unknown TCP traffic detected without corresponding DNS query: 7.25.46.173
Source: unknown TCP traffic detected without corresponding DNS query: 49.86.164.115
Source: unknown TCP traffic detected without corresponding DNS query: 249.60.127.47
Source: unknown TCP traffic detected without corresponding DNS query: 126.211.48.3
Source: unknown TCP traffic detected without corresponding DNS query: 212.221.197.84
Source: unknown TCP traffic detected without corresponding DNS query: 163.236.124.244
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: LfI5pQnZBu.elf, type: SAMPLE Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6211.1.00007fcedc400000.00007fcedc41b000.r-x.sdmp, type: MEMORY Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: LfI5pQnZBu.elf, type: SAMPLE Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6211.1.00007fcedc400000.00007fcedc41b000.r-x.sdmp, type: MEMORY Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: classification engine Classification label: mal84.troj.linELF@0/0@0/0
Enumerates processes within the "proc" file system
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6232/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6234/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6233/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6236/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6235/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1582/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/3088/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/230/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/110/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/231/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/111/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/232/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1579/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/112/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/233/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1699/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/113/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/234/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1335/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1698/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/114/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/235/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1334/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1576/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/2302/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/115/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/236/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/116/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/237/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/117/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/118/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/910/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/119/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6347/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/912/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/10/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/2307/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/11/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6241/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/918/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6240/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/12/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6243/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/13/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6242/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/14/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6245/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/15/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6244/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/16/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6247/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/17/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6246/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/18/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1594/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/120/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/121/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1349/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/122/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/243/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/2/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/123/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/3/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/124/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/4/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/125/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/126/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1344/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1465/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1586/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/127/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/248/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/128/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/249/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1463/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6238/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6237/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/9/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/801/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6239/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/20/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/21/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/1900/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/22/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/23/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/24/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/25/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/26/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/27/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/28/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/29/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/491/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/250/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/6250/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/130/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/251/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/252/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/132/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/253/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/254/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/255/cmdline Jump to behavior
Source: /tmp/LfI5pQnZBu.elf (PID: 6213) File opened: /proc/256/cmdline Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 60780
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58584
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58590
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58606
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58622
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58636
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58650
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58678
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58714
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58734
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58748
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58748
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33024
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33048
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33062
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33066
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57590
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57592
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57604
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33070
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57618
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57630
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57638
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33120
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57662
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57680
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57702
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57724
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 33170
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57816
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57832
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57844
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57926
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 57950
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58054
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58074
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58086
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58100
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 58116
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36124
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36136
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36142
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36152
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35136
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35144
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36156
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36192
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35160
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36210
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36226
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35196
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36240
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36264
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 36240
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35236
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35262
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35282
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35308
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35328
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 35354
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37338
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37344
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37356
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37372
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37382
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37400
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37420
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37438
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 37492
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56062
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56074
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56088
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56096
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56112
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56116
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56124
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56140
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56162
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 56184
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51330
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51350
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51376
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51400
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51426
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51470
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51496
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51514
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 51532
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45910
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45918
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45932
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45948
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45960
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 45992
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 46018
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 46042
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 46064
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 46086
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/LfI5pQnZBu.elf (PID: 6211) Queries kernel information via 'uname': Jump to behavior
Source: LfI5pQnZBu.elf, 6211.1.00005653c3b71000.00005653c3c19000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: LfI5pQnZBu.elf, 6211.1.00007ffca03c5000.00007ffca03e6000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/LfI5pQnZBu.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/LfI5pQnZBu.elf
Source: LfI5pQnZBu.elf, 6211.1.00005653c3b71000.00005653c3c19000.rw-.sdmp Binary or memory string: SV!/etc/qemu-binfmt/mipsel
Source: LfI5pQnZBu.elf, 6211.1.00007ffca03c5000.00007ffca03e6000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: LfI5pQnZBu.elf, type: SAMPLE
Source: Yara match File source: 6211.1.00007fcedc400000.00007fcedc41b000.r-x.sdmp, type: MEMORY
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: LfI5pQnZBu.elf, type: SAMPLE
Source: Yara match File source: 6211.1.00007fcedc400000.00007fcedc41b000.r-x.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
114.40.215.188
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false
85.97.99.156
 unknown Turkey
9121 TTNETTR false
169.163.220.209
 unknown United States
37611 AfrihostZA false
196.138.105.247
 unknown Egypt
36935 Vodafone-EG false
86.222.195.157
 unknown France
3215 FranceTelecom-OrangeFR false
54.10.18.11
 unknown United States
14618 AMAZON-AESUS false
176.154.208.8
 unknown France
5410 BOUYGTEL-ISPFR false
190.143.63.115
 unknown Colombia
10620 TelmexColombiaSACO false
143.250.34.207
 unknown United States
27064 DNIC-ASBLK-27032-27159US false
69.123.181.106
 unknown United States
6128 CABLE-NET-1US false
108.157.2.207
 unknown United States
16509 AMAZON-02US false
187.237.52.162
 unknown Mexico
8151 UninetSAdeCVMX false
123.161.178.143
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
123.8.85.61
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
65.195.47.66
 unknown United States
701 UUNETUS false
253.83.161.37
 unknown Reserved
unknown unknown false
128.222.196.255
 unknown United States
5723 JHUUS false
126.210.129.161
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
144.115.232.103
 unknown United States
3634 SFASU-ASUS false
47.198.148.23
 unknown United States
5650 FRONTIER-FRTRUS false
141.218.8.232
 unknown United States
237 MERIT-AS-14US false
34.244.124.120
 unknown United States
16509 AMAZON-02US false
106.200.18.91
 unknown India
45609 BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService false
146.205.53.187
 unknown United States
6871 PLUSNETUKInternetServiceProviderGB false
171.121.162.148
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
255.82.97.68
 unknown Reserved
unknown unknown false
195.3.51.133
 unknown France
15557 LDCOMNETFR false
156.154.241.79
 unknown United States
19905 NEUSTAR-AS6US false
139.86.12.197
 unknown Australia
45213 USQNET-AS-APUniversityofSouthernQueenslandAU false
45.20.50.250
 unknown United States
7018 ATT-INTERNET4US false
191.48.206.218
 unknown Brazil
26615 TIMSABR false
110.113.31.214
 unknown China
24138 CTTNETChinaTieTongTelecommunicationsCorporationCN false
39.230.204.76
 unknown Indonesia
23693 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID false
107.79.252.203
 unknown United States
7018 ATT-INTERNET4US false
213.180.97.145
 unknown Latvia
20910 BALTKOM-ASLV false
190.72.15.49
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE false
174.168.17.104
 unknown United States
7922 COMCAST-7922US false
30.147.7.166
 unknown United States
7922 COMCAST-7922US false
163.99.79.243
 unknown France
17816 CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi false
116.116.10.4
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
76.38.230.131
 unknown United States
18494 CENTURYLINK-LEGACY-EMBARQ-WRBGUS false
104.42.23.130
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
9.37.132.151
 unknown United States
3356 LEVEL3US false
136.9.166.232
 unknown United States
10146 FORD-MOTOR-CO-SG-APFordMotorCompanySG false
153.96.246.93
 unknown Germany
12643 IGDDE false
161.75.123.211
 unknown Japan 786 JANETJiscServicesLimitedGB false
219.3.130.129
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
87.91.67.48
 unknown France
5410 BOUYGTEL-ISPFR false
92.36.229.148
 unknown Bosnia and Herzegowina
9146 BIHNETBIHNETAutonomusSystemBA false
60.174.126.78
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
107.220.87.241
 unknown United States
7018 ATT-INTERNET4US false
153.212.44.23
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
97.0.183.49
 unknown United States
22394 CELLCOUS false
147.197.13.185
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
149.170.166.26
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
93.151.65.217
 unknown Italy
44957 OPITELIT false
141.193.168.22
 unknown United States
16717 CRAWKANINTERNETUS false
82.196.167.100
 unknown Sweden
25473 ASN-SYSTEAMEVRYCloudServicesSE false
93.90.99.194
 unknown Russian Federation
48642 KTEL-ASEkaterinburgRussiaRU false
56.223.90.201
 unknown United States
2686 ATGS-MMD-ASUS false
196.30.233.235
 unknown South Africa
16637 MTNNS-ASZA false
158.43.222.80
 unknown United Kingdom
702 UUNETUS false
125.247.125.249
 unknown Korea Republic of
38402 GOESW-AS-KRGyeonggiProvincialSuwonOfficeofEducationK false
95.29.218.7
 unknown Russian Federation
8402 CORBINA-ASOJSCVimpelcomRU false
54.168.12.143
 unknown United States
16509 AMAZON-02US false
23.185.139.222
 unknown Reserved
395852 MAYAVIRTUALUS false
67.75.143.175
 unknown United States
3549 LVLT-3549US false
63.156.139.168
 unknown United States
32996 AGRIBANK-STPAULUS false
65.43.200.210
 unknown United States
7018 ATT-INTERNET4US false
148.138.181.193
 unknown Sweden
3246 TDCSONGTele2BusinessTDCSwedenSE false
255.157.147.180
 unknown Reserved
unknown unknown false
186.94.35.188
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE false
218.71.130.60
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
132.162.111.237
 unknown United States
36368 OBERLIN-COLLEGEUS false
216.90.108.244
 unknown United States
23028 TEAM-CYMRUUS false
22.102.39.22
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.195.251.51
 unknown Australia
18747 IFX18747US false
249.95.62.206
 unknown Reserved
unknown unknown false
27.230.5.99
 unknown Japan 9605 DOCOMONTTDOCOMOINCJP false
190.133.162.23
 unknown Uruguay
6057 AdministracionNacionaldeTelecomunicacionesUY false
221.194.64.117
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
52.118.189.14
 unknown United States
36351 SOFTLAYERUS false
25.70.165.240
 unknown United Kingdom
7922 COMCAST-7922US false
183.182.175.240
 unknown Japan 45684 MIRAINETKyoceraCommunicationSystemsCoLtdJP false
81.197.146.53
 unknown Finland
719 ELISA-ASHelsinkiFinlandEU false
191.56.40.8
 unknown Brazil
53037 NEXTELTELECOMUNICACOESLTDABR false
217.162.58.50
 unknown Switzerland
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
78.60.207.235
 unknown Lithuania
8764 TELIA-LIETUVALT false
157.146.162.122
 unknown United States
719 ELISA-ASHelsinkiFinlandEU false
62.69.168.244
 unknown Finland
59766 ASWICITYIT false
138.241.148.144
 unknown United States
12980 EMEAHostingAutonomousSystemEU false
174.222.59.186
 unknown United States
22394 CELLCOUS false
240.165.31.245
 unknown Reserved
unknown unknown false
99.17.215.202
 unknown United States
7018 ATT-INTERNET4US false
109.129.112.41
 unknown Belgium
5432 PROXIMUS-ISP-ASBE false
120.238.226.125
 unknown China
56040 CMNET-GUANGDONG-APChinaMobilecommunicationscorporation false
63.237.52.231
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
83.137.220.2
 unknown Russian Federation
12739 NETLINE_ASRU false
212.194.130.194
 unknown France
5410 BOUYGTEL-ISPFR false
95.195.139.119
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false