Edit tour

Linux Analysis Report
f03XBkpBK6.elf

Overview

General Information

Sample Name:	f03XBkpBK6.elf
Analysis ID:	755689
MD5:	55d542dcd32aee3788c86ab2ae634ca6
SHA1:	2d8927726e1c34cd6355c8095aef1dd27c5e86ae
SHA256:	815804338b816bf198769f53a3962dd33a04b16dffef46a87ac89e9775adae6b
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755689
Start date and time:	2022-11-29 02:11:38 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 41s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	f03XBkpBK6.elf
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal80.troj.evad.linELF@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/f03XBkpBK6.elf
PID:	6226
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

f03XBkpBK6.elf (PID: 6226, Parent: 6125, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/f03XBkpBK6.elf

f03XBkpBK6.elf New Fork (PID: 6228, Parent: 6226)

f03XBkpBK6.elf New Fork (PID: 6229, Parent: 6226)

f03XBkpBK6.elf New Fork (PID: 6231, Parent: 6226)

f03XBkpBK6.elf New Fork (PID: 6234, Parent: 6231)

f03XBkpBK6.elf New Fork (PID: 6235, Parent: 6231)

f03XBkpBK6.elf New Fork (PID: 6237, Parent: 6231)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6226.1.00007fc8b8455000.00007fc8b8457000.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x1584:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x15f8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x166c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x16e0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1754:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x19d4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1a2c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1a84:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1adc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1b34:$xo1: oMXKNNC\x0D\x17\x0C\x12
6229.1.00007fc8b8455000.00007fc8b8457000.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x1584:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x15f8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x166c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x16e0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1754:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x19d4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1a2c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1a84:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1adc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1b34:$xo1: oMXKNNC\x0D\x17\x0C\x12
6226.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x145b8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14628:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14698:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14708:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14778:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x149e8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14a3c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14a90:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14ae4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14b38:$xo1: oMXKNNC\x0D\x17\x0C\x12
6226.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x13e50:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6226.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6235.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x145b8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14628:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14698:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14708:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14778:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x149e8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14a3c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14a90:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14ae4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14b38:$xo1: oMXKNNC\x0D\x17\x0C\x12
6235.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x13e50:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6235.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6235.1.00007fc8b8455000.00007fc8b8457000.rw-.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x1584:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x15f8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x166c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x16e0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1754:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x19d4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1a2c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1a84:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1adc:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x1b34:$xo1: oMXKNNC\x0D\x17\x0C\x12
6229.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x145b8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14628:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14698:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14708:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14778:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x149e8:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14a3c:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14a90:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14ae4:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x14b38:$xo1: oMXKNNC\x0D\x17\x0C\x12
6229.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x13e50:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6229.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
Click to see the 7 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: f03XBkpBK6.elf	ReversingLabs: Detection: 52%
Source: f03XBkpBK6.elf	Virustotal: Detection: 41%			Perma Link

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51072
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51076
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51080
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51082
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51090
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39808
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39818
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39822
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39824
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39826
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39828
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39834
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39836
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39838
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39844
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40014
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40016
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40018
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40020
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40022
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40024
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40034
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40038
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40040

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:35708 -> 51.81.138.210:1312

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 51.81.138.210
Source: unknown	TCP traffic detected without corresponding DNS query: 187.4.90.207
Source: unknown	TCP traffic detected without corresponding DNS query: 152.205.18.207
Source: unknown	TCP traffic detected without corresponding DNS query: 159.88.249.87
Source: unknown	TCP traffic detected without corresponding DNS query: 106.246.13.74
Source: unknown	TCP traffic detected without corresponding DNS query: 211.53.224.181
Source: unknown	TCP traffic detected without corresponding DNS query: 203.175.26.121
Source: unknown	TCP traffic detected without corresponding DNS query: 122.86.122.44
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.69.1
Source: unknown	TCP traffic detected without corresponding DNS query: 223.192.30.122
Source: unknown	TCP traffic detected without corresponding DNS query: 97.120.249.55
Source: unknown	TCP traffic detected without corresponding DNS query: 73.175.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 174.11.108.60
Source: unknown	TCP traffic detected without corresponding DNS query: 208.17.24.140
Source: unknown	TCP traffic detected without corresponding DNS query: 192.201.102.224
Source: unknown	TCP traffic detected without corresponding DNS query: 162.94.40.160
Source: unknown	TCP traffic detected without corresponding DNS query: 161.203.222.193
Source: unknown	TCP traffic detected without corresponding DNS query: 216.213.38.55
Source: unknown	TCP traffic detected without corresponding DNS query: 44.192.72.116
Source: unknown	TCP traffic detected without corresponding DNS query: 119.105.21.129
Source: unknown	TCP traffic detected without corresponding DNS query: 148.6.93.108
Source: unknown	TCP traffic detected without corresponding DNS query: 251.98.141.90
Source: unknown	TCP traffic detected without corresponding DNS query: 2.221.189.68
Source: unknown	TCP traffic detected without corresponding DNS query: 176.56.11.138
Source: unknown	TCP traffic detected without corresponding DNS query: 63.189.62.154
Source: unknown	TCP traffic detected without corresponding DNS query: 98.85.211.155
Source: unknown	TCP traffic detected without corresponding DNS query: 1.242.97.191
Source: unknown	TCP traffic detected without corresponding DNS query: 71.148.30.157
Source: unknown	TCP traffic detected without corresponding DNS query: 69.47.8.124
Source: unknown	TCP traffic detected without corresponding DNS query: 197.150.216.82
Source: unknown	TCP traffic detected without corresponding DNS query: 111.58.90.37
Source: unknown	TCP traffic detected without corresponding DNS query: 31.206.179.135
Source: unknown	TCP traffic detected without corresponding DNS query: 12.223.120.48
Source: unknown	TCP traffic detected without corresponding DNS query: 5.65.68.90
Source: unknown	TCP traffic detected without corresponding DNS query: 53.4.78.219
Source: unknown	TCP traffic detected without corresponding DNS query: 152.121.84.156
Source: unknown	TCP traffic detected without corresponding DNS query: 211.231.188.135
Source: unknown	TCP traffic detected without corresponding DNS query: 153.175.99.220
Source: unknown	TCP traffic detected without corresponding DNS query: 249.174.63.51
Source: unknown	TCP traffic detected without corresponding DNS query: 19.79.6.61
Source: unknown	TCP traffic detected without corresponding DNS query: 254.186.207.97
Source: unknown	TCP traffic detected without corresponding DNS query: 96.23.24.83
Source: unknown	TCP traffic detected without corresponding DNS query: 60.85.212.54
Source: unknown	TCP traffic detected without corresponding DNS query: 86.253.65.233
Source: unknown	TCP traffic detected without corresponding DNS query: 144.42.38.156
Source: unknown	TCP traffic detected without corresponding DNS query: 211.29.40.219
Source: unknown	TCP traffic detected without corresponding DNS query: 53.103.62.2
Source: unknown	TCP traffic detected without corresponding DNS query: 9.35.68.16
Source: unknown	TCP traffic detected without corresponding DNS query: 112.86.91.46
Source: unknown	TCP traffic detected without corresponding DNS query: 191.18.48.23

Source: f03XBkpBK6.elf

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 6226.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6235.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6229.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: LOAD without section mappings

Program segment: 0x100000

Source: 6226.1.00007fc8b8455000.00007fc8b8457000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6229.1.00007fc8b8455000.00007fc8b8457000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6226.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6226.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6235.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6235.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6235.1.00007fc8b8455000.00007fc8b8457000.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6229.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 6229.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: classification engine

Classification label: mal80.troj.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1582/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2033/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2275/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/3088/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/6191/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/6190/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1612/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1579/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1699/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1335/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1698/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2028/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1334/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1576/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2302/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/3236/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2025/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2146/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/910/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/912/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/517/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/759/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/6228/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2307/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/918/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/6240/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1594/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2285/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2281/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1349/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1623/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/761/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1622/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/884/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1983/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2038/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1344/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1465/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1586/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1860/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1463/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2156/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/800/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/801/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/6237/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1629/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1627/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1900/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/4470/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/3021/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/491/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2294/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2050/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1877/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/772/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1633/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1599/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1632/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/774/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1477/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/654/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/896/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1476/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1872/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2048/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/655/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1475/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2289/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/656/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/777/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/657/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/658/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/4467/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/4468/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/4469/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/4502/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/419/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/936/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1639/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1638/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2208/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2180/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1809/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1494/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1890/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2063/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2062/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1888/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1886/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/420/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1489/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/785/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1642/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/788/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/667/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/789/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/1648/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/4491/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/6155/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/4498/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2078/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2077/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2074/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/2195/exe
Source: /tmp/f03XBkpBK6.elf (PID: 6234)	File opened: /proc/670/exe

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51072
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51076
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51080
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51082
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51090
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 51106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39808
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39818
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39822
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39824
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39826
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39828
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39834
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39836
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39838
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39844
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40014
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40016
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40018
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40020
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40022
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40024
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40034
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40038
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 40040

Source: f03XBkpBK6.elf

Submission file: segment LOAD with 7.9039 entropy (max. 8.0)

Source: /tmp/f03XBkpBK6.elf (PID: 6226)

Queries kernel information via 'uname':

Source: f03XBkpBK6.elf, 6226.1.000055975821d000.00005597582c4000.rw-.sdmp, f03XBkpBK6.elf, 6229.1.000055975821d000.00005597582a4000.rw-.sdmp, f03XBkpBK6.elf, 6235.1.000055975821d000.00005597582a4000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: f03XBkpBK6.elf, 6226.1.00007ffdd4bd1000.00007ffdd4bf2000.rw-.sdmp, f03XBkpBK6.elf, 6229.1.00007ffdd4bd1000.00007ffdd4bf2000.rw-.sdmp, f03XBkpBK6.elf, 6235.1.00007ffdd4bd1000.00007ffdd4bf2000.rw-.sdmp	Binary or memory string: 5x86_64/usr/bin/qemu-mipsel/tmp/f03XBkpBK6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/f03XBkpBK6.elf
Source: f03XBkpBK6.elf, 6226.1.000055975821d000.00005597582c4000.rw-.sdmp, f03XBkpBK6.elf, 6229.1.000055975821d000.00005597582a4000.rw-.sdmp, f03XBkpBK6.elf, 6235.1.000055975821d000.00005597582a4000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: f03XBkpBK6.elf, 6226.1.00007ffdd4bd1000.00007ffdd4bf2000.rw-.sdmp, f03XBkpBK6.elf, 6229.1.00007ffdd4bd1000.00007ffdd4bf2000.rw-.sdmp, f03XBkpBK6.elf, 6235.1.00007ffdd4bd1000.00007ffdd4bf2000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 6226.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6235.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6229.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 6226.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6235.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6229.1.00007fc8b8400000.00007fc8b8415000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
f03XBkpBK6.elf	52%	ReversingLabs	Linux.Trojan.Mirai
f03XBkpBK6.elf	41%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	f03XBkpBK6.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
155.35.98.213	unknown	United States	24324	KORDIA-TRANSIT-AS-APKordiaLimitedNZ	false
101.228.227.91	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
204.30.147.16	unknown	United States	3356	LEVEL3US	false
40.83.2.247	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.231.235.136	unknown	United States	15169	GOOGLEUS	false
158.151.234.190	unknown	United States	26442	DNB-US	false
20.132.231.191	unknown	United States	206	CSC-IGN-AMERUS	false
32.250.225.133	unknown	United States	2686	ATGS-MMD-ASUS	false
212.246.61.101	unknown	Finland	719	ELISA-ASHelsinkiFinlandEU	false
197.204.101.52	unknown	Algeria	36947	ALGTEL-ASDZ	false
101.8.222.161	unknown	Taiwan; Republic of China (ROC)	701	UUNETUS	false
70.202.90.164	unknown	United States	22394	CELLCOUS	false
172.123.164.243	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
104.235.30.136	unknown	United States	22379	MANIFOLDUS	false
242.150.57.1	unknown	Reserved	unknown	unknown	false
144.80.148.191	unknown	United States	62989	IUPUS	false
97.45.39.141	unknown	United States	22394	CELLCOUS	false
80.36.110.218	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
31.48.217.190	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
90.217.222.125	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
187.121.39.106	unknown	Brazil	19182	TELEFONICABRASILSABR	false
66.236.63.185	unknown	United States	2828	XO-AS15US	false
145.116.23.144	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
122.117.147.238	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
248.77.126.194	unknown	Reserved	unknown	unknown	false
253.254.230.97	unknown	Reserved	unknown	unknown	false
218.193.82.71	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
142.31.170.14	unknown	Canada	3633	PROVINCE-OF-BRITISH-COLUMBIACA	false
107.127.53.141	unknown	United States	7018	ATT-INTERNET4US	false
223.245.245.95	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
123.63.98.82	unknown	India	55410	VIL-AS-APVodafoneIdeaLtdIN	false
80.50.183.227	unknown	Poland	5617	TPNETPL	false
65.248.145.171	unknown	United States	701	UUNETUS	false
133.195.181.231	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
73.83.162.186	unknown	United States	7922	COMCAST-7922US	false
76.41.20.91	unknown	United States	18494	CENTURYLINK-LEGACY-EMBARQ-WRBGUS	false
185.216.12.42	unknown	Russian Federation	41161	REALWEB-ASRU	false
59.180.5.108	unknown	India	17813	MTNL-APMahanagarTelephoneNigamLimitedIN	false
60.121.113.4	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
75.9.72.18	unknown	United States	7018	ATT-INTERNET4US	false
133.98.75.26	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
172.131.55.193	unknown	United States	7018	ATT-INTERNET4US	false
12.203.71.89	unknown	United States	22983	FISERV-INCUS	false
249.33.223.198	unknown	Reserved	unknown	unknown	false
85.77.171.140	unknown	Finland	719	ELISA-ASHelsinkiFinlandEU	false
156.63.125.11	unknown	United States	19902	NET-STATE-OHIOUS	false
153.119.253.101	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
154.95.51.164	unknown	Seychelles	54600	PEGTECHINCUS	false
253.238.149.215	unknown	Reserved	unknown	unknown	false
87.143.249.130	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
250.246.178.84	unknown	Reserved	unknown	unknown	false
82.204.20.201	unknown	Netherlands	15670	BBNED-AS1NL	false
200.175.108.106	unknown	Brazil	18881	TELEFONICABRASILSABR	false
105.88.235.219	unknown	Egypt	36992	ETISALAT-MISREG	false
190.87.62.2	unknown	El Salvador	14754	TelguaGT	false
240.156.18.94	unknown	Reserved	unknown	unknown	false
90.80.141.126	unknown	France	3215	FranceTelecom-OrangeFR	false
253.173.143.152	unknown	Reserved	unknown	unknown	false
246.33.49.77	unknown	Reserved	unknown	unknown	false
102.63.100.89	unknown	Egypt	36992	ETISALAT-MISREG	false
241.141.146.48	unknown	Reserved	unknown	unknown	false
133.25.175.80	unknown	Japan	55379	HOSEI-NETHoseiUniversityJP	false
158.49.59.106	unknown	Spain	766	REDIRISRedIRISAutonomousSystemES	false
158.128.204.184	unknown	Canada	721	DNIC-ASBLK-00721-00726US	false
196.130.79.57	unknown	Egypt	36935	Vodafone-EG	false
171.60.231.176	unknown	India	24560	AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServices	false
100.149.110.121	unknown	United States	21928	T-MOBILE-AS21928US	false
23.196.34.233	unknown	United States	20940	AKAMAI-ASN1EU	false
125.120.126.142	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
58.65.191.26	unknown	Pakistan	23674	NAYATEL-PKNayatelPvtLtdPK	false
12.150.234.90	unknown	United States	2386	INS-ASUS	false
240.9.25.12	unknown	Reserved	unknown	unknown	false
88.211.88.51	unknown	United Kingdom	35575	VAIONIGB	false
140.230.5.22	unknown	Canada	8111	DALUNIVCA	false
160.18.19.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	false
126.1.101.35	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
160.168.12.233	unknown	Morocco	6713	IAM-ASMA	false
147.144.77.90	unknown	United States	2152	CSUNET-NWUS	false
85.231.153.146	unknown	Sweden	2119	TELENOR-NEXTELTelenorNorgeASNO	false
87.120.3.93	unknown	Bulgaria	34577	SKATTV-ASBG	false
42.176.235.4	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
2.209.235.24	unknown	Germany	6805	TDDE-ASN1DE	false
156.134.58.77	unknown	United States	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
168.181.68.212	unknown	Brazil	265357	KDINTERNETBR	false
179.68.220.84	unknown	Brazil	7738	TelemarNorteLesteSABR	false
73.244.217.200	unknown	United States	7922	COMCAST-7922US	false
145.170.88.101	unknown	Netherlands	59524	KPN-IAASNL	false
114.140.203.30	unknown	Taiwan; Republic of China (ROC)	9674	FET-TWFarEastToneTelecommunicationCoLtdTW	false
45.222.232.161	unknown	Ghana	37282	MAINONENG	false
153.51.249.240	unknown	United States	14962	NCR-252US	false
206.70.233.170	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
217.230.103.141	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
120.13.218.124	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
192.110.155.171	unknown	United States	393835	CCS-COLOUS	false
169.255.104.242	unknown	Kenya	327906	EMBARQKE	false
124.5.1.168	unknown	Korea Republic of	10036	CNM-AS-KRDLIVEKR	false
117.180.195.198	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
147.177.133.237	unknown	United States	243	HARRIS-ATD-ASUS	false
161.50.51.158	unknown	Australia	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
58.192.78.190	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.900277247917175
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	f03XBkpBK6.elf
File size:	30316
MD5:	55d542dcd32aee3788c86ab2ae634ca6
SHA1:	2d8927726e1c34cd6355c8095aef1dd27c5e86ae
SHA256:	815804338b816bf198769f53a3962dd33a04b16dffef46a87ac89e9775adae6b
SHA512:	282401d5563bcf39a65962730dd347a41ae3ec75f95cbf13adaeece28608d31c27d024b01485c166222cb040935ff060475f95ee19c592e5e62392305097bdb4
SSDEEP:	768:C1uUtLrVDsAp6tLkF4FuetwEub4sU/M9g36KNSJb8WUP:CbDs06t4BEub4sU/MbUSAP
TLSH:	EED2E12CD94D7D05DAAD3EBE50CE9AF5298C74C0A35DEACE07168448B617ACBEC071E4
File Content Preview:	.ELF.....................b..4...........4. ...(.....................Eu..Eu...............[...[E..[E.................u...UPX!`........Z...Z......S..........?.E.h;....#......b.L#8....&C........}+..ze.aw....2"ds...:.Z...;.g...l.D.....t6/..N...^.............+

Static ELF Info

ELF header
Class:
Data:
Version:
Machine:
Version Number:
Type:
OS/ABI:
ABI Version:
Entry Point Address:
Flags:
ELF Header Size:
Program Header Offset:
Program Header Size:
Number of Program Headers:
Section Header Offset:
Section Header Size:
Number of Section Headers:
Header String Table Index:

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x7545	0x7545	7.9039	0x5	R E	0x10000
LOAD	0x5b00	0x455b00	0x455b00	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 02:12:24.979813099 CET	35708	1312	192.168.2.23	51.81.138.210
Nov 29, 2022 02:12:25.012173891 CET	43259	23	192.168.2.23	187.4.90.207
Nov 29, 2022 02:12:25.012768984 CET	43259	23	192.168.2.23	152.205.18.207
Nov 29, 2022 02:12:25.012885094 CET	43259	23	192.168.2.23	159.88.249.87
Nov 29, 2022 02:12:25.014132023 CET	43259	23	192.168.2.23	106.246.13.74
Nov 29, 2022 02:12:25.014200926 CET	43259	23	192.168.2.23	211.53.224.181
Nov 29, 2022 02:12:25.014200926 CET	43259	23	192.168.2.23	203.175.26.121
Nov 29, 2022 02:12:25.014262915 CET	43259	23	192.168.2.23	122.86.122.44
Nov 29, 2022 02:12:25.014285088 CET	43259	23	192.168.2.23	70.32.69.1
Nov 29, 2022 02:12:25.014457941 CET	43259	23	192.168.2.23	223.192.30.122
Nov 29, 2022 02:12:25.014457941 CET	43259	23	192.168.2.23	97.120.249.55
Nov 29, 2022 02:12:25.014462948 CET	43259	23	192.168.2.23	200.229.110.204
Nov 29, 2022 02:12:25.014492989 CET	43259	23	192.168.2.23	73.175.72.101
Nov 29, 2022 02:12:25.014492989 CET	43259	23	192.168.2.23	174.11.108.60
Nov 29, 2022 02:12:25.014529943 CET	43259	23	192.168.2.23	208.17.24.140
Nov 29, 2022 02:12:25.014540911 CET	43259	23	192.168.2.23	192.201.102.224
Nov 29, 2022 02:12:25.014559031 CET	43259	23	192.168.2.23	162.94.40.160
Nov 29, 2022 02:12:25.014566898 CET	43259	23	192.168.2.23	161.203.222.193
Nov 29, 2022 02:12:25.014566898 CET	43259	23	192.168.2.23	216.213.38.55
Nov 29, 2022 02:12:25.014638901 CET	43259	23	192.168.2.23	44.192.72.116
Nov 29, 2022 02:12:25.014856100 CET	43259	23	192.168.2.23	119.105.21.129
Nov 29, 2022 02:12:25.014863968 CET	43259	23	192.168.2.23	148.6.93.108
Nov 29, 2022 02:12:25.014892101 CET	43259	23	192.168.2.23	251.98.141.90
Nov 29, 2022 02:12:25.014894009 CET	43259	23	192.168.2.23	2.221.189.68
Nov 29, 2022 02:12:25.014974117 CET	43259	23	192.168.2.23	176.56.11.138
Nov 29, 2022 02:12:25.015058994 CET	43259	23	192.168.2.23	63.189.62.154
Nov 29, 2022 02:12:25.015059948 CET	43259	23	192.168.2.23	98.85.211.155
Nov 29, 2022 02:12:25.015166044 CET	43259	23	192.168.2.23	1.242.97.191
Nov 29, 2022 02:12:25.015181065 CET	43259	23	192.168.2.23	71.148.30.157
Nov 29, 2022 02:12:25.015182018 CET	43259	23	192.168.2.23	69.47.8.124
Nov 29, 2022 02:12:25.015194893 CET	43259	23	192.168.2.23	197.150.216.82
Nov 29, 2022 02:12:25.015197992 CET	43259	23	192.168.2.23	111.58.90.37
Nov 29, 2022 02:12:25.015197992 CET	43259	23	192.168.2.23	31.206.179.135
Nov 29, 2022 02:12:25.015197992 CET	43259	23	192.168.2.23	12.223.120.48
Nov 29, 2022 02:12:25.015198946 CET	43259	23	192.168.2.23	5.65.68.90
Nov 29, 2022 02:12:25.015223980 CET	43259	23	192.168.2.23	53.4.78.219
Nov 29, 2022 02:12:25.015229940 CET	43259	23	192.168.2.23	152.121.84.156
Nov 29, 2022 02:12:25.015230894 CET	43259	23	192.168.2.23	211.231.188.135
Nov 29, 2022 02:12:25.015283108 CET	43259	23	192.168.2.23	153.175.99.220
Nov 29, 2022 02:12:25.015290022 CET	43259	23	192.168.2.23	249.174.63.51
Nov 29, 2022 02:12:25.015297890 CET	43259	23	192.168.2.23	19.79.6.61
Nov 29, 2022 02:12:25.015312910 CET	43259	23	192.168.2.23	254.186.207.97
Nov 29, 2022 02:12:25.015314102 CET	43259	23	192.168.2.23	96.23.24.83
Nov 29, 2022 02:12:25.015321970 CET	43259	23	192.168.2.23	60.85.212.54
Nov 29, 2022 02:12:25.015321970 CET	43259	23	192.168.2.23	86.253.65.233
Nov 29, 2022 02:12:25.015321970 CET	43259	23	192.168.2.23	144.42.38.156
Nov 29, 2022 02:12:25.015383959 CET	43259	23	192.168.2.23	211.29.40.219
Nov 29, 2022 02:12:25.015434027 CET	43259	23	192.168.2.23	53.103.62.2
Nov 29, 2022 02:12:25.015434980 CET	43259	23	192.168.2.23	9.35.68.16
Nov 29, 2022 02:12:25.015436888 CET	43259	23	192.168.2.23	112.86.91.46
Nov 29, 2022 02:12:25.015449047 CET	43259	23	192.168.2.23	191.18.48.23
Nov 29, 2022 02:12:25.015475988 CET	43259	23	192.168.2.23	159.227.95.9
Nov 29, 2022 02:12:25.015476942 CET	43259	23	192.168.2.23	46.242.60.170
Nov 29, 2022 02:12:25.015476942 CET	43259	23	192.168.2.23	181.98.117.209
Nov 29, 2022 02:12:25.015480995 CET	43259	23	192.168.2.23	53.83.224.157
Nov 29, 2022 02:12:25.015516043 CET	43259	23	192.168.2.23	80.216.12.209
Nov 29, 2022 02:12:25.015830040 CET	43259	23	192.168.2.23	23.46.52.230
Nov 29, 2022 02:12:25.015870094 CET	43259	23	192.168.2.23	168.9.114.186
Nov 29, 2022 02:12:25.016021013 CET	43259	23	192.168.2.23	110.111.99.148
Nov 29, 2022 02:12:25.016022921 CET	43259	23	192.168.2.23	167.12.125.104
Nov 29, 2022 02:12:25.016096115 CET	43259	23	192.168.2.23	146.204.132.75
Nov 29, 2022 02:12:25.016174078 CET	43259	23	192.168.2.23	245.3.66.158
Nov 29, 2022 02:12:25.016237974 CET	43259	23	192.168.2.23	153.234.248.124
Nov 29, 2022 02:12:25.016258001 CET	43259	23	192.168.2.23	107.36.227.25
Nov 29, 2022 02:12:25.016272068 CET	43259	23	192.168.2.23	160.248.5.204
Nov 29, 2022 02:12:25.016314030 CET	43259	23	192.168.2.23	107.215.3.223
Nov 29, 2022 02:12:25.016691923 CET	43259	23	192.168.2.23	248.25.200.93
Nov 29, 2022 02:12:25.016693115 CET	43259	23	192.168.2.23	246.28.214.48
Nov 29, 2022 02:12:25.016697884 CET	43259	23	192.168.2.23	202.89.91.205
Nov 29, 2022 02:12:25.016699076 CET	43259	23	192.168.2.23	39.77.108.193
Nov 29, 2022 02:12:25.016697884 CET	43259	23	192.168.2.23	34.87.5.132
Nov 29, 2022 02:12:25.016707897 CET	43259	23	192.168.2.23	35.243.209.193
Nov 29, 2022 02:12:25.016731024 CET	43259	23	192.168.2.23	122.203.66.248
Nov 29, 2022 02:12:25.016758919 CET	43259	23	192.168.2.23	120.233.190.51
Nov 29, 2022 02:12:25.016763926 CET	43259	23	192.168.2.23	181.38.54.48
Nov 29, 2022 02:12:25.016796112 CET	43259	23	192.168.2.23	123.0.40.75
Nov 29, 2022 02:12:25.016940117 CET	43259	23	192.168.2.23	39.248.82.87
Nov 29, 2022 02:12:25.016993999 CET	43259	23	192.168.2.23	247.17.162.60
Nov 29, 2022 02:12:25.017041922 CET	43259	23	192.168.2.23	151.63.167.68
Nov 29, 2022 02:12:25.017227888 CET	43259	23	192.168.2.23	104.107.128.100
Nov 29, 2022 02:12:25.017363071 CET	43259	23	192.168.2.23	199.53.105.81
Nov 29, 2022 02:12:25.017364025 CET	43259	23	192.168.2.23	111.118.124.125
Nov 29, 2022 02:12:25.017371893 CET	43259	23	192.168.2.23	85.175.201.196
Nov 29, 2022 02:12:25.017378092 CET	43259	23	192.168.2.23	23.165.219.34
Nov 29, 2022 02:12:25.017472029 CET	43259	23	192.168.2.23	100.212.47.172
Nov 29, 2022 02:12:25.017472982 CET	43259	23	192.168.2.23	75.81.88.138
Nov 29, 2022 02:12:25.017537117 CET	43259	23	192.168.2.23	17.142.168.240
Nov 29, 2022 02:12:25.017538071 CET	43259	23	192.168.2.23	152.245.179.49
Nov 29, 2022 02:12:25.017544985 CET	43259	23	192.168.2.23	182.60.31.104
Nov 29, 2022 02:12:25.017559052 CET	43259	23	192.168.2.23	170.106.149.95
Nov 29, 2022 02:12:25.017559052 CET	43259	23	192.168.2.23	67.227.99.20
Nov 29, 2022 02:12:25.017559052 CET	43259	23	192.168.2.23	245.232.133.187
Nov 29, 2022 02:12:25.017560959 CET	43259	23	192.168.2.23	122.250.198.11
Nov 29, 2022 02:12:25.017563105 CET	43259	23	192.168.2.23	148.224.174.31
Nov 29, 2022 02:12:25.017563105 CET	43259	23	192.168.2.23	218.236.182.44
Nov 29, 2022 02:12:25.017564058 CET	43259	23	192.168.2.23	85.14.126.214
Nov 29, 2022 02:12:25.017563105 CET	43259	23	192.168.2.23	38.112.178.29
Nov 29, 2022 02:12:25.017565966 CET	43259	23	192.168.2.23	210.181.168.155
Nov 29, 2022 02:12:25.017564058 CET	43259	23	192.168.2.23	192.127.146.178
Nov 29, 2022 02:12:25.017565966 CET	43259	23	192.168.2.23	216.3.122.173

System Behavior

Analysis Process: f03XBkpBK6.elf PID: 6226, Parent PID: 6125

General

Start time:	02:12:24
Start date:	29/11/2022
Path:	/tmp/f03XBkpBK6.elf
Arguments:	/tmp/f03XBkpBK6.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: f03XBkpBK6.elf PID: 6228, Parent PID: 6226

General

Start time:	02:12:24
Start date:	29/11/2022
Path:	/tmp/f03XBkpBK6.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: f03XBkpBK6.elf PID: 6229, Parent PID: 6226

General

Start time:	02:12:24
Start date:	29/11/2022
Path:	/tmp/f03XBkpBK6.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: f03XBkpBK6.elf PID: 6231, Parent PID: 6226

General

Start time:	02:12:24
Start date:	29/11/2022
Path:	/tmp/f03XBkpBK6.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: f03XBkpBK6.elf PID: 6234, Parent PID: 6231

General

Start time:	02:12:24
Start date:	29/11/2022
Path:	/tmp/f03XBkpBK6.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: f03XBkpBK6.elf PID: 6235, Parent PID: 6231

General

Start time:	02:12:24
Start date:	29/11/2022
Path:	/tmp/f03XBkpBK6.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: f03XBkpBK6.elf PID: 6237, Parent PID: 6231

General

Start time:	02:12:24
Start date:	29/11/2022
Path:	/tmp/f03XBkpBK6.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report f03XBkpBK6.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: f03XBkpBK6.elf PID: 6226, Parent PID: 6125

General

Analysis Process: f03XBkpBK6.elf PID: 6228, Parent PID: 6226

General

Analysis Process: f03XBkpBK6.elf PID: 6229, Parent PID: 6226

General

Analysis Process: f03XBkpBK6.elf PID: 6231, Parent PID: 6226

General

Analysis Process: f03XBkpBK6.elf PID: 6234, Parent PID: 6231

General

Analysis Process: f03XBkpBK6.elf PID: 6235, Parent PID: 6231

General

Analysis Process: f03XBkpBK6.elf PID: 6237, Parent PID: 6231

General

Linux Analysis Report
f03XBkpBK6.elf