Linux Analysis Report
x86.elf

Overview

General Information

Sample name: x86.elf
Analysis ID: 1436363
MD5: 4b80c6c18aac27625434f6817fd951fd
SHA1: 69cd4f920dec679fe6daef4d5f2939e74060a4d4
SHA256: 25d8d5b4a3fdb428d08555641b9fd97b2b3294c17b5e11ecf22f1ecabb1a5a29
Tags: elf
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Found strings indicative of a multi-platform dropper
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Sample listens on a socket
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: x86.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: x86.elf Virustotal: Detection: 36% Perma Link
Source: x86.elf ReversingLabs: Detection: 47%
Machine Learning detection for sample
Source: x86.elf Joe Sandbox ML: detected
Found strings indicative of a multi-platform dropper
Source: x86.elf String: /cmdlinewgettftpchmodcurl/root//tmp//dev//bin//etc//boot//usr//mnt//var//sbin//snap/
Sample listens on a socket
Source: /tmp/x86.elf (PID: 6248) Socket: 127.0.0.1::33337 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
Source: 6248.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
Source: 6248.1.0000000000400000.000000000040d000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
Source: classification engine Classification label: mal68.linELF@0/0@0/0
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7
windows-stand
No contacted IP infos