Linux Analysis Report
H9NSZqE1YV

Overview

General Information

Sample Name: H9NSZqE1YV
Analysis ID: 679633
MD5: 58836131abfd4884cee3a45e82344236
SHA1: 99834e69d8788d276f63ee5968256cb84d3dc1c4
SHA256: 75197b35b16d2668bf3c9437ac9e29f2287db5b1f0839acc4f6dbcf7bca02ae2
Tags: 32elfmiraipowerpc
Infos:

Detection

Mirai
Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

AV Detection

barindex
Source: H9NSZqE1YV Avira: detected
Source: H9NSZqE1YV Virustotal: Detection: 50% Perma Link
Source: H9NSZqE1YV Metadefender: Detection: 31% Perma Link
Source: H9NSZqE1YV ReversingLabs: Detection: 61%

Networking

barindex
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38848
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38856
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38874
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38876
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38878
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38888
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38892
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38894
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38896
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38900
Source: global traffic TCP traffic: 192.168.2.23:49684 -> 189.236.48.74:7547
Source: global traffic TCP traffic: 192.168.2.23:33416 -> 112.170.93.137:7547
Source: global traffic TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312
Source: /tmp/H9NSZqE1YV (PID: 6232) Socket: 127.0.0.1::1312 Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) Socket: 0.0.0.0::37215 Jump to behavior
Source: unknown DNS traffic detected: queries for: arcticboatz.cz
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 2808
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 189.236.48.74
Source: unknown TCP traffic detected without corresponding DNS query: 112.170.93.137
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 189.236.48.74
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 158.209.73.34
Source: unknown TCP traffic detected without corresponding DNS query: 79.230.189.239
Source: unknown TCP traffic detected without corresponding DNS query: 40.71.205.34
Source: unknown TCP traffic detected without corresponding DNS query: 255.240.206.49
Source: unknown TCP traffic detected without corresponding DNS query: 146.74.47.18
Source: unknown TCP traffic detected without corresponding DNS query: 78.218.165.73
Source: unknown TCP traffic detected without corresponding DNS query: 244.16.155.19
Source: unknown TCP traffic detected without corresponding DNS query: 129.8.7.47
Source: unknown TCP traffic detected without corresponding DNS query: 216.253.109.206
Source: unknown TCP traffic detected without corresponding DNS query: 44.139.232.96
Source: unknown TCP traffic detected without corresponding DNS query: 23.21.46.22
Source: unknown TCP traffic detected without corresponding DNS query: 191.197.164.163
Source: unknown TCP traffic detected without corresponding DNS query: 126.178.56.153
Source: unknown TCP traffic detected without corresponding DNS query: 117.53.114.23
Source: unknown TCP traffic detected without corresponding DNS query: 173.7.147.254
Source: unknown TCP traffic detected without corresponding DNS query: 170.51.199.30
Source: unknown TCP traffic detected without corresponding DNS query: 206.243.187.98
Source: unknown TCP traffic detected without corresponding DNS query: 9.38.164.129
Source: unknown TCP traffic detected without corresponding DNS query: 75.86.70.161
Source: unknown TCP traffic detected without corresponding DNS query: 57.243.157.111
Source: unknown TCP traffic detected without corresponding DNS query: 31.205.83.49
Source: unknown TCP traffic detected without corresponding DNS query: 142.105.20.237
Source: unknown TCP traffic detected without corresponding DNS query: 12.120.176.124
Source: unknown TCP traffic detected without corresponding DNS query: 79.49.199.46
Source: unknown TCP traffic detected without corresponding DNS query: 59.62.201.167
Source: unknown TCP traffic detected without corresponding DNS query: 246.239.56.178
Source: unknown TCP traffic detected without corresponding DNS query: 17.240.180.52
Source: unknown TCP traffic detected without corresponding DNS query: 206.46.174.77
Source: unknown TCP traffic detected without corresponding DNS query: 92.35.25.14
Source: unknown TCP traffic detected without corresponding DNS query: 155.65.48.135
Source: unknown TCP traffic detected without corresponding DNS query: 9.152.178.21
Source: unknown TCP traffic detected without corresponding DNS query: 18.32.189.2
Source: unknown TCP traffic detected without corresponding DNS query: 192.8.195.30
Source: unknown TCP traffic detected without corresponding DNS query: 242.39.196.246
Source: unknown TCP traffic detected without corresponding DNS query: 126.101.119.208
Source: unknown TCP traffic detected without corresponding DNS query: 154.238.65.57
Source: unknown TCP traffic detected without corresponding DNS query: 250.83.50.223
Source: unknown TCP traffic detected without corresponding DNS query: 141.191.30.241
Source: unknown TCP traffic detected without corresponding DNS query: 177.61.206.106
Source: unknown TCP traffic detected without corresponding DNS query: 126.231.7.36
Source: unknown TCP traffic detected without corresponding DNS query: 222.21.186.251
Source: unknown TCP traffic detected without corresponding DNS query: 166.252.138.130
Source: unknown TCP traffic detected without corresponding DNS query: 98.238.12.183
Source: unknown TCP traffic detected without corresponding DNS query: 95.108.120.160
Source: unknown TCP traffic detected without corresponding DNS query: 240.255.179.116
Source: ELF static info symbol of initial sample .symtab present: no
Source: /tmp/H9NSZqE1YV (PID: 6242) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: Initial sample String containing 'busybox' found: /bin/busybox AK1K2
Source: Initial sample String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: >>>/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: classification engine Classification label: mal76.troj.lin@0/0@42/0
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/491/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/793/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/772/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/796/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/774/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/797/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/777/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/799/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/658/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/912/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/759/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/936/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/918/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/1/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/761/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/785/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/884/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/720/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/721/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/788/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/789/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/800/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/801/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/847/fd Jump to behavior
Source: /tmp/H9NSZqE1YV (PID: 6242) File opened: /proc/904/fd Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38848
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38856
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38874
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38876
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38878
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38888
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38892
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38894
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38896
Source: unknown Network traffic detected: HTTP traffic on port 23 -> 38900
Source: /tmp/H9NSZqE1YV (PID: 6232) Queries kernel information via 'uname': Jump to behavior
Source: H9NSZqE1YV, 6232.1.000055d88c945000.000055d88c9f5000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: H9NSZqE1YV, 6331.1.000055d88c945000.000055d88c9f5000.rw-.sdmp, H9NSZqE1YV, 6244.1.000055d88c945000.000055d88c9f5000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: H9NSZqE1YV, 6232.1.000055d88c945000.000055d88c9f5000.rw-.sdmp, H9NSZqE1YV, 6331.1.000055d88c945000.000055d88c9f5000.rw-.sdmp, H9NSZqE1YV, 6244.1.000055d88c945000.000055d88c9f5000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: H9NSZqE1YV, 6232.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp, H9NSZqE1YV, 6331.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp, H9NSZqE1YV, 6244.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/H9NSZqE1YVSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/H9NSZqE1YV
Source: H9NSZqE1YV, 6232.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp, H9NSZqE1YV, 6331.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp, H9NSZqE1YV, 6244.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: H9NSZqE1YV, type: SAMPLE
Source: Yara match File source: 6232.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6331.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6244.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: H9NSZqE1YV, type: SAMPLE
Source: Yara match File source: 6232.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6331.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6244.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs