Sample : 499bfa8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
CPU type

Intel 80386
Entropy

6.43010318852
Syscalls executed (root)

538762
Syscalls executed (user)

533
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0x8048164
Number of segments

3
Number of sections

10
Program header table offset

52
Section header table offset

50368
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

10
Section header table - index sections names

9
Stripped

True
Sections stripped

False
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 6.454622
Memory size doubles physical size : PT_LOAD at offset 0xc324


Sections
Uncommon sections : section without a name
High entropy : .text - 6.467960


Debug information

False

Hash


MD5

eb457c85342b94a8e4bd9e8b5be4f397
SHA1

9168aefb5647e258ccdf9333e1e2cd05d6f842ec
SHA256

499bfa8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81
SHA512

0011f2d0047e94b179a08776eeabad3dd966eeeef7bb7856ccf4179c3c05aeb1f6d920bd488b51c3de08e65ee9d2989274b0ea42633bfcda041c6839c1f810c4
ssdeep

768:7XlWCOeLQaWHijmTqo92qz3a3yqQkVQ9d1CjH6JFPI5zvZmWHSJkv:7XlDOemijUx2qmRM9dJFPI5TFHSJkv

Bytes


Entropy

6.43010318852
Min entropy (16KB blocks)

6.2792269695
Max entropy (16KB blocks)

6.46484288773
Unique bytes (0-255)

256
Null bytes

7996
White spaces

1191
Printable bytes

13320
First 16B

7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0xb4e5

Length : 596

Three rarest bytes

0x67 - 11 times

0xa6 - 11 times

0xb3 - 10 times

Three most common bytes

0x0 - 7996 times

0xff - 2501 times

0x24 - 1914 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/499bfa8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81
Positive

26
Total AVs

57
Scan date

2019-08-17 19:33:30
AVClass

mirai
Detection

Kaspersky : HEUR:Backdoor.Linux.Mirai.b

McAfee : RDN/Generic BackDoor

Qihoo-360 : Win32/Backdoor.6f4

AegisLab : Trojan.Linux.Mirai.K!c

F-Secure : Malware.LINUX/Mirai.sdkmy

AVG : ELF:Mirai-SJ [Trj]

Avira : LINUX/Mirai.sdkmy

ClamAV : Unix.Malware.Agent-7124148-0

TrendMicro : Possible_MIRAI.SMLBO13

Antiy-AVL : Trojan[Backdoor]/Linux.Mirai.b

Avast : ELF:Mirai-SJ [Trj]

MAX : malware (ai score=53)

ESET-NOD32 : a variant of Linux/Mirai.KU

Tencent : Backdoor.Linux.Mirai.wan

DrWeb : Linux.Mirai.2052

Sophos : Mal/Generic-S

Fortinet : ELF/Mirai.AT!tr

TrendMicro-HouseCall : Possible_MIRAI.SMLBO13

SentinelOne : DFI - Malicious ELF

McAfee-GW-Edition : RDN/Generic BackDoor

Ikarus : Trojan.Linux.Mirai

ZoneAlarm : HEUR:Backdoor.Linux.Mirai.b

AhnLab-V3 : Linux/Mirai.Exp

Jiangmin : Backdoor.Linux.dmdj

Symantec : Linux.Mirai

GData : Linux.Trojan.Agent.BTAJUF

Data Explore


Paths

/var/tmp/

/var/

/root/

/dev/shm/

/bin/busybox

/dev/null

IPs (v4 and v6)

1.9.1.1

Code Explore


Nucleus

Number of functions : 148

Total size functions [B] : 84886

Average size a function [B] : 573.554054054

Percentage of covered .text section : 184.190426594

Percentage of covered LOAD segment : 168.75944334

Eh_frame

Sandbox (user)


Standard output

operated by @ankit_anubhav
Standard error

Sandbox (root)


Standard output

operated by @ankit_anubhav
Standard error

Behavior


User behavior

Syscalls


Unique
fork
rt_sigaction
brk
connect
getsockname
prctl
close
open
select
getsockopt
getdents
rt_sigprocmask
send
write
setsid
exit
getpid
fstat
listen
fcntl
read
getppid
recv
execve
setsockopt
socket
bind
times
recvfrom
time


Unique number
30

Total number
533

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Permission related errors

True

Type of permission related error


EPERM
True

Number of processes

9

Trace lines lost

0

Dropped files


Modify
/etc/default/watchdog
/dev/watchdog0
/dev/watchdog1
/dev/misc/watchdog
/dev/FTWDT101_watchdog
/bin/watchdog
/sbin/watchdog
/dev/FTWDT101\\ watchdog
/dev/watchdog


Files being read

/tmp/strace.ko

/srvttmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/tmp/

/mnt/tmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/runeampkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/tmp/499bfa8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/var/libbfa8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/tmpnnuzunds640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/var/opthea8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/lost+founds640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/binttmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/

/var/logkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/boottmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/rootampkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/proc/807/maps

/var/cachea8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/sys/tmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/var/locala8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/lib/tmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/optiampkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/var/tmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/var/backups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/homeampkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/sbinnuzunds640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/data/local/tmp/

/var/runlla8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/mediampkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/var/mailla8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/vmlinuzunds640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/var/spoola8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/usrttmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/proc/

/varnnuzunds640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/var/lockla8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/dev/shm/

/var/

/etc/tmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/deviampkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/procampkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81\363\327\b

/var/tmp/

/root/

Max sleep

-1.0

Process renaming

/bin/busybox



Root behavior

Syscalls


Unique
fork
rt_sigaction
brk
connect
getsockname
prctl
close
open
select
getsockopt
getdents
rt_sigprocmask
send
write
setsid
exit
getpid
fstat
listen
fcntl
read
commit_creds
getppid
recv
execve
setsockopt
socket
bind
times
recvfrom
time
nanosleep


Unique number
32

Total number
538762

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

6

Trace lines lost

0

Dropped files


Modify
/etc/default/watchdog
/dev/watchdog0
/dev/watchdog1
/dev/misc/watchdog
/dev/FTWDT101_watchdog
/bin/watchdog
/sbin/watchdog
/dev/FTWDT101\\ watchdog
/dev/watchdog


Files being read

/tmp/strace.ko

/var/spoola8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/

/lost+found.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/tmp/

/etct/trace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/tmp/499bfa8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/procatrace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/vmlinuzund.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/cachea8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/

/bint/trace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/root/trace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/runeatrace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/rootatrace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/srvt/trace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/tmpkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/deviatrace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/usrt/trace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/opthea8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/data/local/tmp/

/libt/trace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/optiatrace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/root/

/sbinnuzund.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/runlla8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/logkups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/tmpnnuzund.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/proc/

/var/mailla8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/dev/shm/

/var/locala8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/homeatrace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/backups640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/libbfa8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/tmp/strace.kog673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/lockla8640673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/var/tmp/

/syst/trace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/boot/trace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/mntt/trace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/mediatrace.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

/varnnuzund.log673f59cdd8970652ecdf0ca609f50c3fa034d39da2a693e86d6c81c?\b

Max sleep

120.0

Process renaming

/bin/busybox