Linux Analysis Report rEwoho1ZZp

Overview

General Information

Sample Name:	rEwoho1ZZp
Analysis ID:	553321
MD5:	4551d1b6498e7221a47926b43f93190a
SHA1:	49d569d9953ccc8f65d9f65f5e71d91ed05a31e2
SHA256:	e6329513b10f29003a9431a0df38bccf7935679b24b3f6905f3d869647c53043
Tags:	elf
Infos:

Detection

Mirai Moobot

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Yara detected Moobot

Sample deletes itself

Contains symbols with names commonly found in malware

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: rEwoho1ZZp

Avira: detected

Multi AV Scanner detection for submitted file

Source: rEwoho1ZZp	Virustotal: Detection: 53%	Perma Link
Source: rEwoho1ZZp	Metadefender: Detection: 37%	Perma Link
Source: rEwoho1ZZp	ReversingLabs: Detection: 70%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.23:39404 -> 209.141.53.247:55650
Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 209.141.53.247:55650 -> 192.168.2.23:39404

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:39404 -> 209.141.53.247:55650

Sample listens on a socket

Source: /tmp/rEwoho1ZZp (PID: 5223)

Socket: 127.0.0.1::6628

Jump to behavior

Source: unknown

DNS traffic detected: queries for: smellyoulater.onthewifi.com

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

System Summary:

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_app_http
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_gre_eth
Source: ELF static info symbol of initial sample	Name: attack_gre_ip
Source: ELF static info symbol of initial sample	Name: attack_icmpecho
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method_ovh

Yara signature match

Source: rEwoho1ZZp, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5223.1.0000000096931fd9.00000000c1d9a2ff.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5223.1.00000000c3675780.000000005050d10e.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Source: classification engine

Classification label: mal88.troj.evad.lin@0/0@1/0

Persistence and Installation Behavior:

Enumerates processes within the "proc" file system

Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/5145/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/5145/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/5145/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/5145/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/5145/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/5145/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1582/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1582/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1582/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1582/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1582/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1582/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/3088/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/3088/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/3088/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/3088/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/3088/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/3088/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/230/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/230/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/230/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/230/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/230/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/230/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/230/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/110/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/110/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/110/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/110/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/110/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/110/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/110/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/231/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/231/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/231/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/231/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/231/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/231/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/231/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/232/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/232/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/232/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/232/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/232/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/232/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/232/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1579/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1579/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1579/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1579/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1579/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1579/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/112/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/112/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/112/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/112/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/112/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/112/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/112/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/233/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/233/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/233/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/233/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/233/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/233/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/233/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1699/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1699/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1699/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1699/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1699/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1699/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/113/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/113/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/113/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/113/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/113/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/113/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/113/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/234/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/234/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/234/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/234/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/234/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/234/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/234/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1335/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1335/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1335/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1335/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1335/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1335/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1698/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1698/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1698/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1698/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1698/maps	Jump to behavior
Source: /tmp/rEwoho1ZZp (PID: 5225)	File opened: /proc/1698/maps	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Sample deletes itself

Source: /tmp/rEwoho1ZZp (PID: 5223)

File: /tmp/rEwoho1ZZp

Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/rEwoho1ZZp (PID: 5223)

Queries kernel information via 'uname':

Jump to behavior

Source: rEwoho1ZZp, 5223.1.00000000c72745f9.000000000a9504d8.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: rEwoho1ZZp, 5223.1.000000003f7d3e23.00000000cba6bdfa.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/rEwoho1ZZpSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/rEwoho1ZZp
Source: rEwoho1ZZp, 5223.1.00000000c72745f9.000000000a9504d8.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: rEwoho1ZZp, 5223.1.000000003f7d3e23.00000000cba6bdfa.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match

File source: rEwoho1ZZp, type: SAMPLE

Yara detected Moobot

Source: Yara match	File source: rEwoho1ZZp, type: SAMPLE
Source: Yara match	File source: 5223.1.00000000c3675780.000000005050d10e.r-x.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Mirai

Source: Yara match

File source: rEwoho1ZZp, type: SAMPLE

Yara detected Moobot

Source: Yara match	File source: rEwoho1ZZp, type: SAMPLE
Source: Yara match	File source: 5223.1.00000000c3675780.000000005050d10e.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
209.141.53.247	smellyoulater.onthewifi.com	United States	53667	PONYNETUS	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Contacted Domains

Name	IP	Active
smellyoulater.onthewifi.com	209.141.53.247	true

ID:	553321
Product:	CloudBasic
Start time:	17:00:14
Start date:	14.01.2022
Sample:	rEwoho1ZZp
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	4551d1b6498e7221a47926b43f93190a
SHA1:	49d569d9953ccc8f65d9f65f5e71d91ed05a31e2
SHA256:	e6329513b10f29003a9431a0df38bccf7935679b24b3f6905f3d869647c53043
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report rEwoho1ZZp

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Network Map

Contacted Public IPs

Contacted Domains