Linux Analysis Report
LxfGfOr9r6

Overview

General Information

Sample Name: LxfGfOr9r6
Analysis ID: 679618
MD5: a6a6579914345f3a3f6aa3663ee67e11
SHA1: 9b7656bb68fc7b06169e59644b3fb90d80a641f9
SHA256: 8f0bc7d0a706edd460cde7cdb729814412e45b9e1c9344fba7e7eca9f1bce528
Tags: 32elfmiraimotorola
Infos:

Detection

Mirai
Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

AV Detection

barindex
Source: LxfGfOr9r6 Virustotal: Detection: 50% Perma Link
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312
Source: /tmp/LxfGfOr9r6 (PID: 6228) Socket: 127.0.0.1::1312 Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) Socket: 0.0.0.0::0 Jump to behavior
Source: unknown DNS traffic detected: queries for: arcticboatz.cz
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 182.212.162.196
Source: unknown TCP traffic detected without corresponding DNS query: 170.70.176.196
Source: unknown TCP traffic detected without corresponding DNS query: 184.208.52.196
Source: unknown TCP traffic detected without corresponding DNS query: 149.122.148.189
Source: unknown TCP traffic detected without corresponding DNS query: 119.237.15.53
Source: unknown TCP traffic detected without corresponding DNS query: 18.90.116.15
Source: unknown TCP traffic detected without corresponding DNS query: 125.255.186.227
Source: unknown TCP traffic detected without corresponding DNS query: 69.237.77.192
Source: unknown TCP traffic detected without corresponding DNS query: 220.254.218.102
Source: unknown TCP traffic detected without corresponding DNS query: 79.153.238.131
Source: unknown TCP traffic detected without corresponding DNS query: 57.12.238.183
Source: unknown TCP traffic detected without corresponding DNS query: 106.81.138.170
Source: unknown TCP traffic detected without corresponding DNS query: 158.192.89.15
Source: unknown TCP traffic detected without corresponding DNS query: 179.142.233.52
Source: unknown TCP traffic detected without corresponding DNS query: 99.33.131.140
Source: unknown TCP traffic detected without corresponding DNS query: 198.24.228.208
Source: unknown TCP traffic detected without corresponding DNS query: 66.153.92.242
Source: unknown TCP traffic detected without corresponding DNS query: 117.81.234.178
Source: unknown TCP traffic detected without corresponding DNS query: 112.30.58.202
Source: unknown TCP traffic detected without corresponding DNS query: 114.40.120.20
Source: unknown TCP traffic detected without corresponding DNS query: 72.174.97.188
Source: unknown TCP traffic detected without corresponding DNS query: 19.232.112.198
Source: unknown TCP traffic detected without corresponding DNS query: 113.25.4.238
Source: unknown TCP traffic detected without corresponding DNS query: 14.7.53.190
Source: unknown TCP traffic detected without corresponding DNS query: 23.16.231.136
Source: unknown TCP traffic detected without corresponding DNS query: 86.136.66.37
Source: unknown TCP traffic detected without corresponding DNS query: 192.136.184.43
Source: unknown TCP traffic detected without corresponding DNS query: 190.128.142.230
Source: unknown TCP traffic detected without corresponding DNS query: 72.166.196.154
Source: unknown TCP traffic detected without corresponding DNS query: 107.108.89.34
Source: unknown TCP traffic detected without corresponding DNS query: 169.63.92.163
Source: unknown TCP traffic detected without corresponding DNS query: 117.190.206.254
Source: unknown TCP traffic detected without corresponding DNS query: 183.122.155.210
Source: unknown TCP traffic detected without corresponding DNS query: 193.167.89.128
Source: unknown TCP traffic detected without corresponding DNS query: 80.207.188.37
Source: unknown TCP traffic detected without corresponding DNS query: 185.158.142.250
Source: unknown TCP traffic detected without corresponding DNS query: 167.139.113.59
Source: unknown TCP traffic detected without corresponding DNS query: 74.142.140.23
Source: unknown TCP traffic detected without corresponding DNS query: 249.93.172.43
Source: unknown TCP traffic detected without corresponding DNS query: 146.106.136.12
Source: unknown TCP traffic detected without corresponding DNS query: 103.29.222.19
Source: unknown TCP traffic detected without corresponding DNS query: 78.117.198.49
Source: unknown TCP traffic detected without corresponding DNS query: 77.37.118.145
Source: unknown TCP traffic detected without corresponding DNS query: 179.133.123.111
Source: unknown TCP traffic detected without corresponding DNS query: 203.56.127.2
Source: unknown TCP traffic detected without corresponding DNS query: 46.88.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 2.133.14.183
Source: unknown TCP traffic detected without corresponding DNS query: 251.217.142.17
Source: unknown TCP traffic detected without corresponding DNS query: 96.72.106.135
Source: unknown TCP traffic detected without corresponding DNS query: 241.165.134.90
Source: ELF static info symbol of initial sample .symtab present: no
Source: /tmp/LxfGfOr9r6 (PID: 6239) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: Initial sample String containing 'busybox' found: /bin/busybox AK1K2
Source: Initial sample String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: >>retrieve/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: classification engine Classification label: mal64.troj.lin@0/0@48/0
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/491/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/793/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/772/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/796/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/774/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/797/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/777/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/799/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/658/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/912/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/759/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/936/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/918/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/1/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/761/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/785/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/884/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/720/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/721/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/788/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/789/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/800/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/801/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/847/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6239) File opened: /proc/904/fd Jump to behavior
Source: /tmp/LxfGfOr9r6 (PID: 6228) Queries kernel information via 'uname': Jump to behavior
Source: LxfGfOr9r6, 6228.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6328.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6240.1.00005576c4867000.00005576c48ec000.rw-.sdmp Binary or memory string: vU!/etc/qemu-binfmt/m68k
Source: LxfGfOr9r6, 6228.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6328.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6240.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp Binary or memory string: /usr/bin/qemu-m68k
Source: LxfGfOr9r6, 6228.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6328.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6240.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/LxfGfOr9r6SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/LxfGfOr9r6
Source: LxfGfOr9r6, 6228.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6328.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6240.1.00005576c4867000.00005576c48ec000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/m68k

Stealing of Sensitive Information

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: LxfGfOr9r6, type: SAMPLE
Source: Yara match File source: 6240.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6228.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6328.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: LxfGfOr9r6, type: SAMPLE
Source: Yara match File source: 6240.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6228.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6328.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs