Linux Analysis Report
mNMOQlPshG

Overview

General Information

Sample Name: mNMOQlPshG
Analysis ID: 635046
MD5: 376ad57cf2b182915c6406fc09268968
SHA1: 21217f2f50c79b3dea0a6f0219644d21d3dfc557
SHA256: 6c47ca46c555299c33e44f0db3a3efc886b2d2aaa9a8a865a236d3a80a36b8aa
Tags: 32armelf
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample is packed with UPX
Deletes security-related log files
Opens /proc/net/* files useful for finding connected devices and routers
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Deletes log files
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Executes the "rm" command used to delete files or directories

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: mNMOQlPshG Virustotal: Detection: 20% Perma Link
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6268) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6271) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6276) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Spreading
barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/mNMOQlPshG (PID: 6232) Opens: /proc/net/route Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: mNMOQlPshG String found in binary or memory: http://upx.sf.net
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Yara signature match
Source: mNMOQlPshG, type: SAMPLE Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: classification engine Classification label: mal72.spre.troj.evad.lin@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 6268) Pkill executable: /usr/bin/pkill -> pkill -9 busybox Jump to behavior
Source: /bin/sh (PID: 6271) Pkill executable: /usr/bin/pkill -> pkill -9 perl Jump to behavior
Source: /bin/sh (PID: 6276) Pkill executable: /usr/bin/pkill -> pkill -9 python Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1582/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1582/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/3088/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/3088/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1579/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1579/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1699/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1699/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1335/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1335/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1698/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1698/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1334/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1334/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1576/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1576/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/2302/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/2302/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/910/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/910/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/912/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/912/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/2307/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/2307/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/918/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/918/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1594/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1594/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1349/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1349/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pkill (PID: 6276) File opened: /proc/125/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/mNMOQlPshG (PID: 6243) Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" Jump to behavior
Source: /tmp/mNMOQlPshG (PID: 6253) Shell command executed: sh -c "rm -rf /var/log/wtmp" Jump to behavior
Source: /tmp/mNMOQlPshG (PID: 6256) Shell command executed: sh -c "rm -rf /tmp/*" Jump to behavior
Source: /tmp/mNMOQlPshG (PID: 6263) Shell command executed: sh -c "rm -rf /bin/netstat" Jump to behavior
Source: /tmp/mNMOQlPshG (PID: 6266) Shell command executed: sh -c "pkill -9 busybox" Jump to behavior
Source: /tmp/mNMOQlPshG (PID: 6269) Shell command executed: sh -c "pkill -9 perl" Jump to behavior
Source: /tmp/mNMOQlPshG (PID: 6274) Shell command executed: sh -c "pkill -9 python" Jump to behavior
Source: /tmp/mNMOQlPshG (PID: 6277) Shell command executed: sh -c "iptables -A INPUT -j DROP" Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 6245) Rm executable: /usr/bin/rm -> rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/mNMOQlPshG /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf Jump to behavior
Source: /bin/sh (PID: 6255) Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp Jump to behavior
Source: /bin/sh (PID: 6262) Rm executable: /usr/bin/rm -> rm -rf /tmp/* Jump to behavior
Source: /bin/sh (PID: 6265) Rm executable: /usr/bin/rm -> rm -rf /bin/netstat Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /usr/bin/rm (PID: 6245) File: /tmp/mNMOQlPshG Jump to behavior

Malware Analysis System Evasion
barindex
Deletes security-related log files
Source: /usr/bin/rm (PID: 6255) Truncated file: /var/log/wtmp Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6268) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6271) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6276) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Deletes log files
Source: /usr/bin/rm (PID: 6255) Truncated file: /var/log/wtmp Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/mNMOQlPshG (PID: 6232) Queries kernel information via 'uname': Jump to behavior
Source: mNMOQlPshG, 6232.1.00000000a35de681.00000000f61a084d.rw-.sdmp, mNMOQlPshG, 6235.1.00000000a35de681.00000000f61a084d.rw-.sdmp, mNMOQlPshG, 6237.1.00000000a35de681.00000000f61a084d.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: mNMOQlPshG, 6232.1.00000000c609cab4.0000000064147583.rw-.sdmp, mNMOQlPshG, 6235.1.00000000c609cab4.0000000064147583.rw-.sdmp, mNMOQlPshG, 6237.1.00000000c609cab4.0000000064147583.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/mNMOQlPshGSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mNMOQlPshG
Source: mNMOQlPshG, 6232.1.00000000a35de681.00000000f61a084d.rw-.sdmp, mNMOQlPshG, 6235.1.00000000a35de681.00000000f61a084d.rw-.sdmp, mNMOQlPshG, 6237.1.00000000a35de681.00000000f61a084d.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: mNMOQlPshG, 6232.1.00000000c609cab4.0000000064147583.rw-.sdmp, mNMOQlPshG, 6235.1.00000000c609cab4.0000000064147583.rw-.sdmp, mNMOQlPshG, 6237.1.00000000c609cab4.0000000064147583.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 6232.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6237.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6235.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 6232.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6237.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6235.1.00000000c2dc0f68.0000000061964638.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.245.210.119
 unknown United States
36352 AS-COLOCROSSINGUS false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false