Sample : 70d956079d0bec352b92b370c527fec34f9e5c3bfe0217e551d49c5784257d1c

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
CPU type

Intel 80386
Entropy

6.38392600594
Syscalls executed (root)

21
Syscalls executed (user)

20
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0x8048164
Number of segments

3
Number of sections

10
Program header table offset

52
Section header table offset

47216
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

10
Section header table - index sections names

9
Stripped

True
Sections stripped

False
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 6.409968
Memory size doubles physical size : PT_LOAD at offset 0xb7a4


Sections
Uncommon sections : section without a name
High entropy : .text - 6.400386


Debug information

False

Hash


MD5

993a7970ea40dcfc68d82162f6014367
SHA1

6f1e708638a9ca61a87df14c486620b11abf0a40
SHA256

70d956079d0bec352b92b370c527fec34f9e5c3bfe0217e551d49c5784257d1c
SHA512

01117827dc4b925bb53e61a616b3deb59e7b96a5e2b6ab36278b7948b631153df0eefbabff456ef140520329456a42ab8dc959772db2a3df0c8ed9ee123a1a1f
ssdeep

768:jn82RB3Vc5aeSi5kAnoMvzQb3VP7xZa7pUo4i7GQN6d6ukgAz7FzP+l6Gcz55ea1:Q273Vc5aeSi5kAoSzu3toN6dRQG0GczF

Bytes


Entropy

6.38392600594
Min entropy (16KB blocks)

6.23462794375
Max entropy (16KB blocks)

6.24405723998
Unique bytes (0-255)

256
Null bytes

7258
White spaces

1140
Printable bytes

13798
First 16B

7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0xb483

Length : 287

Three rarest bytes

0xb1 - 8 times

0x97 - 6 times

0xb5 - 6 times

Three most common bytes

0x0 - 7258 times

0x24 - 2158 times

0xff - 1842 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/70d956079d0bec352b92b370c527fec34f9e5c3bfe0217e551d49c5784257d1c
Positive

20
Total AVs

60
Scan date

2018-05-19 11:30:44
AVClass

mirai
Detection

Symantec : Linux.Mirai

McAfee : RDN/Generic BackDoor

AegisLab : Backdoor.Linux.Mirai!c

AVG : ELF:Mirai-PR [Trj]

Jiangmin : Backdoor.Linux.bagp

Microsoft : Backdoor:Linux/Mirai!rfn

Fortinet : ELF/Mirai.AT!tr

DrWeb : Linux.Mirai.793

ESET-NOD32 : a variant of Linux/Mirai.CA

Antiy-AVL : Trojan[Backdoor]/Linux.Mirai.b

TrendMicro : TROJ_GEN.F04JC00EB18

Qihoo-360 : Win32/Backdoor.6f4

TrendMicro-HouseCall : TROJ_GEN.F04JC00EB18

McAfee-GW-Edition : RDN/Generic BackDoor

Avira : LINUX/Mirai.dnrjy

Ikarus : Trojan.Linux.Mirai

ZoneAlarm : HEUR:Backdoor.Linux.Mirai.b

Sophos : Mal/Generic-S

Avast : ELF:Mirai-PR [Trj]

Kaspersky : HEUR:Backdoor.Linux.Mirai.b

Data Explore


Paths

/bin/sh

/dev/null

Code Explore


Nucleus

Number of functions : 149

Total size functions [B] : 47630

Average size a function [B] : 319.66442953

Percentage of covered .text section : 107.298941203

Percentage of covered LOAD segment : 101.022312717

Eh_frame

Sandbox (user)


Standard output

Standard error

Segmentation fault

Sandbox (root)


Standard output

Standard error

Segmentation fault

Behavior


User behavior

Errors


Segmentation fault
True

Syscalls


Unique
fcntl
setsockopt
socket
rt_sigaction
bind
rt_sigprocmask
getppid
getpid
times
brk
connect
getsockname
time
close
execve
listen


Unique number
16

Total number
20

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Max sleep

-1.0



Root behavior

Errors


Segmentation fault
True

Syscalls


Unique
fcntl
setsockopt
socket
rt_sigaction
commit_creds
rt_sigprocmask
time
getppid
getpid
times
brk
connect
getsockname
bind
close
execve
listen


Unique number
17

Total number
21

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Max sleep

-1.0