Linux Analysis Report
wget

Overview

General Information

Sample Name: wget
Analysis ID: 635350
MD5: dd0cdabc3008bb93f0ec2476337bd15c
SHA1: 5a3f07ce4ff6536ca93db6594756260b8c6b7d20
SHA256: 1a011ac69e0e4ec28c3b2fdfcec8285d56a2b8fad94ced140ec6c3cee56e0c46
Infos:

Detection

Mirai
Score: 80
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Opens /proc/net/* files useful for finding connected devices and routers
Machine Learning detection for sample
Sample contains symbols with suspicious names
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: wget Avira: detected
Multi AV Scanner detection for submitted file
Source: wget Virustotal: Detection: 65% Perma Link
Machine Learning detection for sample
Source: wget Joe Sandbox ML: detected

Spreading
barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/wget (PID: 6226) Opens: /proc/net/route Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2840333 ETPRO TROJAN ELF/BASHLITE Variant CnC Activity 192.168.2.23:57822 -> 45.95.55.12:23
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 2.2.2.2
Source: unknown TCP traffic detected without corresponding DNS query: 3.3.3.3
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 4.4.4.4
Source: unknown TCP traffic detected without corresponding DNS query: 5.5.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 6.6.6.6
Source: unknown TCP traffic detected without corresponding DNS query: 7.7.7.7
Source: unknown TCP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown TCP traffic detected without corresponding DNS query: 11.11.11.11
Source: unknown TCP traffic detected without corresponding DNS query: 12.12.12.12
Source: unknown TCP traffic detected without corresponding DNS query: 13.13.13.13
Source: unknown TCP traffic detected without corresponding DNS query: 14.14.14.14
Source: unknown TCP traffic detected without corresponding DNS query: 15.15.15.15
Source: unknown TCP traffic detected without corresponding DNS query: 16.16.16.16
Source: unknown TCP traffic detected without corresponding DNS query: 18.18.18.18
Source: unknown TCP traffic detected without corresponding DNS query: 19.19.19.19
Source: unknown TCP traffic detected without corresponding DNS query: 20.20.20.20
Source: unknown TCP traffic detected without corresponding DNS query: 21.21.21.21
Source: unknown TCP traffic detected without corresponding DNS query: 22.22.22.22
Source: unknown TCP traffic detected without corresponding DNS query: 23.23.23.23
Source: unknown TCP traffic detected without corresponding DNS query: 17.17.17.17
Source: unknown TCP traffic detected without corresponding DNS query: 24.24.24.24
Source: unknown TCP traffic detected without corresponding DNS query: 25.25.25.25
Source: unknown TCP traffic detected without corresponding DNS query: 26.26.26.26
Source: unknown TCP traffic detected without corresponding DNS query: 27.27.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 28.28.28.28
Source: unknown TCP traffic detected without corresponding DNS query: 29.29.29.29
Source: unknown TCP traffic detected without corresponding DNS query: 30.30.30.30
Source: unknown TCP traffic detected without corresponding DNS query: 31.31.31.31
Source: unknown TCP traffic detected without corresponding DNS query: 32.32.32.32
Source: unknown TCP traffic detected without corresponding DNS query: 33.33.33.33
Source: unknown TCP traffic detected without corresponding DNS query: 34.34.34.34
Source: unknown TCP traffic detected without corresponding DNS query: 35.35.35.35
Source: unknown TCP traffic detected without corresponding DNS query: 36.36.36.36
Source: unknown TCP traffic detected without corresponding DNS query: 37.37.37.37
Source: unknown TCP traffic detected without corresponding DNS query: 38.38.38.38
Source: unknown TCP traffic detected without corresponding DNS query: 39.39.39.39
Source: unknown TCP traffic detected without corresponding DNS query: 40.40.40.40
Source: unknown TCP traffic detected without corresponding DNS query: 41.41.41.41
Source: unknown TCP traffic detected without corresponding DNS query: 42.42.42.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.43.43.43
Source: unknown TCP traffic detected without corresponding DNS query: 44.44.44.44
Source: unknown TCP traffic detected without corresponding DNS query: 45.45.45.45
Source: unknown TCP traffic detected without corresponding DNS query: 46.46.46.46
Source: wget String found in binary or memory: http://45.95.55.12/bins.sh;
Sample contains symbols with suspicious names
Source: ELF static info symbol of initial sample Name: passwords
Source: ELF static info symbol of initial sample Name: usernames
Source: classification engine Classification label: mal80.spre.troj.lin@0/0@0/0
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/i386/crt1.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/i386/crti.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/i386/crtn.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/i386/mmap.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/i386/vfork.S

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
158.143.88.56
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
186.189.66.72
 unknown Argentina
28075 ARLINKSAAR false
206.127.191.169
 unknown United States
26793 ICS-LLCUS false
162.224.254.218
 unknown United States
7018 ATT-INTERNET4US false
222.102.202.189
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
215.172.146.212
 unknown United States
721 DNIC-ASBLK-00721-00726US false
190.137.66.142
 unknown Argentina
7303 TelecomArgentinaSAAR false
132.181.127.184
 unknown New Zealand
9432 CANTERBURY-ASUniversityofCanterburyNZ false
180.136.182.144
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
73.165.95.100
 unknown United States
7922 COMCAST-7922US false
110.110.110.110
 unknown China
38341 CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN false
136.206.197.207
 unknown Ireland
1213 HEANETIE false
116.172.115.71
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
86.156.147.157
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
210.165.203.228
 unknown Japan 2514 INFOSPHERENTTPCCommunicationsIncJP false
60.48.96.82
 unknown Malaysia
4788 TMNET-AS-APTMNetInternetServiceProviderMY false
191.172.248.187
 unknown Brazil
26615 TIMSABR false
72.72.72.72
 unknown United States
701 UUNETUS false
158.158.158.158
 unknown Singapore
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
136.34.135.102
 unknown United States
16591 GOOGLE-FIBERUS false
156.174.212.222
 unknown Egypt
36992 ETISALAT-MISREG false
146.147.160.74
 unknown United States
197938 TRAVIANGAMESDE false
215.228.201.127
 unknown United States
721 DNIC-ASBLK-00721-00726US false
183.223.151.211
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
183.183.183.183
 unknown Japan 45684 MIRAINETKyoceraCommunicationSystemsCoLtdJP false
71.89.46.93
 unknown United States
20115 CHARTER-20115US false
186.204.161.208
 unknown Brazil
28573 CLAROSABR false
117.26.163.33
 unknown China
133776 CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCN false
64.134.140.57
 unknown United States
14654 WAYPORTUS false
139.189.242.251
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
138.158.174.125
 unknown United States
1540 DNIC-ASBLK-01534-01546US false
148.164.177.127
 unknown United States
23154 SANMINA-SCIUS false
164.152.200.186
 unknown United States
27343 MONSANTO-INETUS false
245.159.188.134
 unknown Reserved
unknown unknown false
115.28.122.5
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
53.103.156.165
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
186.100.128.229
 unknown Argentina
11315 TelefonicaMovilesArgentinaSAMovistarArgentinaAR false
220.221.234.148
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
42.30.78.64
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
140.107.152.109
 unknown United States
14954 FHCRCUS false
137.199.229.193
 unknown United States
14655 HAMPTONUUS false
8.78.69.79
 unknown United States
3356 LEVEL3US false
89.176.170.89
 unknown Czech Republic
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
217.235.192.239
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
162.87.53.171
 unknown United States
701 UUNETUS false
205.230.201.179
 unknown United States
5049 MORGAN-ASNUS false
189.147.188.229
 unknown Mexico
8151 UninetSAdeCVMX false
164.234.225.235
 unknown United States
27064 DNIC-ASBLK-27032-27159US false
195.109.137.238
 unknown Netherlands
702 UUNETUS false
187.113.46.129
 unknown Brazil
10429 TELEFONICABRASILSABR false
205.179.227.167
 unknown United States
18566 MEGAPATH5-US false
205.161.207.169
 unknown United States
1239 SPRINTLINKUS false
175.168.53.90
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
166.186.202.153
 unknown United States
20057 ATT-MOBILITY-LLC-AS20057US false
144.58.86.187
 unknown United States
786 JANETJiscServicesLimitedGB false
140.99.212.80
 unknown United States
398197 REMOTE-SUB-SERVICES-01US false
20.40.56.7
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
186.95.232.102
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE false
217.217.217.217
 unknown Spain
12357 COMUNITELSPAINES false
162.99.105.143
 unknown United States
26810 HHSNET-NOC-ASNUS false
192.216.207.159
 unknown United States
3356 LEVEL3US false
223.247.238.190
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
205.85.185.172
 unknown United States
665 DNIC-ASBLK-00616-00665US false
53.96.140.151
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
202.128.61.144
 unknown Philippines
23944 SKYBB-AS-APSKYBroadbandSKYCableCorporationPH false
133.173.185.62
 unknown Japan 2497 IIJInternetInitiativeJapanIncJP false
45.63.20.67
 unknown United States
20473 AS-CHOOPAUS false
77.36.149.17
 unknown Iran (ISLAMIC Republic Of)
42586 IRIB-ASIR false
183.181.228.232
 unknown Japan 9374 EDIONEDIONCorporationJP false
139.226.220.139
 unknown China
17621 CNCGROUP-SHChinaUnicomShanghainetworkCN false
134.164.124.184
 unknown United States
6009 DNIC-ASBLK-05800-06055US false
147.128.204.143
 unknown United States
158 ERI-ASUS false
84.146.176.140
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
153.191.149.115
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
39.116.97.116
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
197.198.211.125
 unknown Egypt
36992 ETISALAT-MISREG false
133.209.207.215
 unknown Japan 2518 BIGLOBEBIGLOBEIncJP false
185.183.230.234
 unknown France
36924 GVA-CanalboxBJ false
116.90.138.78
 unknown New Zealand
38477 SOLARIX-NZSolarixNetworksLimitedNZ false
96.147.144.171
 unknown United States
7922 COMCAST-7922US false
72.9.15.53
 unknown United States
21688 GMP-METROCASTUS false
70.119.196.177
 unknown United States
11427 TWC-11427-TEXASUS false
141.159.116.163
 unknown United States
12075 JACOBSUS false
216.185.200.128
 unknown United States
22925 ALLIED-TELECOMUS false
251.181.247.252
 unknown Reserved
unknown unknown false
207.120.214.97
 unknown United States
7219 ASNTULIXUS false
255.165.250.134
 unknown Reserved
unknown unknown false
212.159.88.164
 unknown United Kingdom
6871 PLUSNETUKInternetServiceProviderGB false
254.180.113.196
 unknown Reserved
unknown unknown false
111.78.123.80
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
79.104.75.53
 unknown Russian Federation
3216 SOVAM-ASRU false
142.79.35.90
 unknown United States
397832 EPF-COUS false
95.161.198.91
 unknown Russian Federation
43370 OBIT-KZ-ASObitTelecommunicationsKazakhstannetworkRU false
246.249.126.132
 unknown Reserved
unknown unknown false
132.150.107.154
 unknown Norway
2119 TELENOR-NEXTELTelenorNorgeASNO false
111.119.181.122
 unknown Pakistan
59257 CMPAKLIMITED-AS-APCMPakLimitedPK false
44.25.130.29
 unknown United States
63479 HAMWANUS false
56.76.92.43
 unknown United States
2686 ATGS-MMD-ASUS false
124.122.169.173
 unknown Thailand
17552 TRUE-AS-APTrueInternetCoLtdTH false
132.157.128.106
 unknown Peru
21575 ENTELPERUSAPE false