Sample : 40e8ab5f01970c71dcf028843c82db209a174ac082440042cf03450f8ff6ae62

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
CPU type

Intel 80386
Entropy

6.47183486334
Syscalls executed (root)

15
Syscalls executed (user)

14
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0x8048164
Number of segments

3
Number of sections

10
Program header table offset

52
Section header table offset

53632
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

10
Section header table - index sections names

9
Stripped

True
Sections stripped

False
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 6.511539
Memory size doubles physical size : PT_LOAD at offset 0xd000


Sections
Uncommon sections : section without a name


Debug information

False

Hash


MD5

3c86c00ab428605a6fbb4d13cb1c4036
SHA1

94786f2332edf82d36e088be671515832b742fa7
SHA256

40e8ab5f01970c71dcf028843c82db209a174ac082440042cf03450f8ff6ae62
SHA512

062bb669cc88e6cf1f811d2314e704e351d6ce04b5d4a9828ea8a1979255d1d760910a0affdf86d5094fa753c93d6a7ba248e8bfe33062bc45fc8c4d1fec5c6c
ssdeep

1536:u8OP6OftfvJfrJf0hJeVVMKnZ/78snmi86eCOYcPnY7DGGgvzn:/OfVxfrJfAJ2VTZgsmi86epRnY76P

Bytes


Entropy

6.47183486334
Min entropy (16KB blocks)

6.2450598382
Max entropy (16KB blocks)

6.55323721142
Unique bytes (0-255)

256
Null bytes

8135
White spaces

1442
Printable bytes

17748
First 16B

7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0xce02

Length : 511

Three rarest bytes

0xb3 - 8 times

0xb5 - 8 times

0xae - 7 times

Three most common bytes

0x0 - 8135 times

0x24 - 2293 times

0xff - 1958 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/40e8ab5f01970c71dcf028843c82db209a174ac082440042cf03450f8ff6ae62
Positive

18
Total AVs

57
Scan date

2019-04-15 07:17:51
AVClass

mirai
Detection

Ikarus : Trojan.Linux.Mirai

DrWeb : Linux.Mirai.793

Sophos : Mal/Generic-S

Antiy-AVL : Trojan[Backdoor]/Linux.Mirai.ba

Avast-Mobile : ELF:Mirai-UM [Trj]

McAfee : Linux/Mirai.g

SentinelOne : DFI - Malicious ELF

Kaspersky : HEUR:Backdoor.Linux.Mirai.ba

McAfee-GW-Edition : Linux/Mirai.g

Avast : ELF:Mirai-HU [Trj]

Fortinet : ELF/Mirai.OX!tr

ESET-NOD32 : a variant of Linux/Mirai.AT

TrendMicro-HouseCall : Trojan.Linux.MIRAI.SMMR1

AhnLab-V3 : Linux/Mirai.Gen3

Jiangmin : Backdoor.Linux.cdnr

ZoneAlarm : HEUR:Backdoor.Linux.Mirai.ba

AVG : ELF:Mirai-HU [Trj]

GData : Linux.Trojan.Mirai.J

Data Explore


Paths

/bin/busybox

/dev/null

URLs

http://schemas.xmlsoap.org/soap/envelope/

http://schemas.xmlsoap.org/soap/envelope/

IPs (v4 and v6)

167.99.195.48

::17

Code Explore


Nucleus

Number of functions : 149

Total size functions [B] : 50926

Average size a function [B] : 341.785234899

Percentage of covered .text section : 106.366180709

Percentage of covered LOAD segment : 95.5244597839

Eh_frame

Sandbox (user)


Standard output

Standard error

Segmentation fault

Sandbox (root)


Standard output

Standard error

Segmentation fault

Behavior


User behavior

Errors


Segmentation fault
True

Syscalls


Unique
socket
rt_sigaction
rt_sigprocmask
getppid
times
brk
connect
getsockname
time
close
execve
getpid


Unique number
12

Total number
14

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Max sleep

-1.0



Root behavior

Errors


Segmentation fault
True

Syscalls


Unique
socket
rt_sigaction
commit_creds
rt_sigprocmask
getppid
times
brk
connect
getsockname
time
close
execve
getpid


Unique number
13

Total number
15

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Max sleep

-1.0