Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
pSyrtz5Pls.elf

Overview

General Information

Sample name:pSyrtz5Pls.elf
renamed because original name is a hash value
Original sample name:aa81d4de98f9fb8749abe0873d870765.elf
Analysis ID:1442687
MD5:aa81d4de98f9fb8749abe0873d870765
SHA1:ecd3dd2e0529b3b039f3f2d253c2271a9ded6759
SHA256:73382bba68161be1f3b8a765a0f061703d7fa7348625fd03d7554831c000ecad
Tags:64elfgafgyt
Infos:

Detection

Mirai
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
HTTP GET or POST without a user agent
Reads the 'hosts' file potentially containing internal network hosts
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Yara signature match

Classification

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1442687
Start date and time:2024-05-16 16:43:16 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:pSyrtz5Pls.elf
renamed because original name is a hash value
Original Sample Name:aa81d4de98f9fb8749abe0873d870765.elf
Detection:MAL
Classification:mal100.troj.linELF@0/1@0/0

Warnings

  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing network information.
  • VT rate limit hit for: pSyrtz5Pls.elf

Runtime Messages

Command:/tmp/pSyrtz5Pls.elf
PID:5499
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 5849, Parent: 3632)
  • rm (PID: 5849, Parent: 3632, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.KUMjNiGJTz /tmp/tmp.wthzj9Lx7H /tmp/tmp.QlZJZDOM7v
  • dash New Fork (PID: 5850, Parent: 3632)
  • rm (PID: 5850, Parent: 3632, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.KUMjNiGJTz /tmp/tmp.wthzj9Lx7H /tmp/tmp.QlZJZDOM7v
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
pSyrtz5Pls.elfJoeSecurity_Mirai_4Yara detected MiraiJoe Security
    pSyrtz5Pls.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
      pSyrtz5Pls.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        pSyrtz5Pls.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
        • 0xbf68:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
        pSyrtz5Pls.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
        • 0xc757:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
        Click to see the 8 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        6173.1.0000000000400000.0000000000416000.r-x.sdmpJoeSecurity_Mirai_4Yara detected MiraiJoe Security
          6173.1.0000000000400000.0000000000416000.r-x.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
            6173.1.0000000000400000.0000000000416000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
              6173.1.0000000000400000.0000000000416000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
              • 0xbf68:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
              6173.1.0000000000400000.0000000000416000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
              • 0xc757:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D