Sample : a149702e1f3d888f30256c7c946812fbfdc05fe932c8307ba8cdc610b8ed96b4

Summary


OS ABI

ARM
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
CPU type

ARM 32-bit
Entropy

5.94449453391
Syscalls executed (root)

2
Syscalls executed (user)

1
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

ARM
Object file type

Executable file
ELF version

0.1
Machine

ARM 32-bit
Link

static
Entrypoint

0x8190
Number of segments

3
Number of sections

10
Program header table offset

52
Section header table offset

57964
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

10
Section header table - index sections names

9
Stripped

True
Sections stripped

False
Anomalies


Segments
W^X permission : PT_GNU_STACK at offset 0x0
Memory size doubles physical size : PT_LOAD at offset 0xe000


Sections
Uncommon sections : section without a name


Debug information

False

Hash


MD5

ec9d7ec06ec27020bb8a0adc050c0845
SHA1

d9f380a7bca9415d7843f2250d8ceb17e640b8fb
SHA256

a149702e1f3d888f30256c7c946812fbfdc05fe932c8307ba8cdc610b8ed96b4
SHA512

40a69233a01a642d932bf063a5a2cd3673f59044cb4193611e0a95597d2cc9cb23bbac80cd4e8e90850a9124aa9685c8576bed947f8daffb3265850ee4c18ae7
ssdeep

1536:S4zcjwlDU31MXfd0qIGTu6hUmBpVoZoG9+:S4J21MPd0qIGiYBp4V

Bytes


Entropy

5.94449453391
Min entropy (16KB blocks)

5.85538591414
Max entropy (16KB blocks)

6.02199736187
Unique bytes (0-255)

256
Null bytes

10577
White spaces

2814
Printable bytes

9400
First 16B

7f 45 4c 46 01 01 01 61 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0xdc56

Length : 939

Three rarest bytes

0x49 - 8 times

0xb6 - 8 times

0x7b - 7 times

Three most common bytes

0x0 - 10577 times

0xa0 - 3469 times

0xe5 - 2736 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/a149702e1f3d888f30256c7c946812fbfdc05fe932c8307ba8cdc610b8ed96b4
Positive

19
Total AVs

57
Scan date

2019-08-17 10:12:48
AVClass

mirai
Detection

ESET-NOD32 : a variant of Linux/Mirai.KU

Kaspersky : HEUR:Backdoor.Linux.Mirai.b

Qihoo-360 : Win32/Backdoor.6f4

Tencent : Backdoor.Linux.Mirai.waw

DrWeb : Linux.Mirai.1232

Avast-Mobile : ELF:Mirai-VZ [Trj]

Fortinet : ELF/Mirai.AT!tr

TrendMicro-HouseCall : Possible_MIRAI.SMLBO13

Sophos : Mal/Generic-S

Avast : ELF:Mirai-NL [Trj]

F-Secure : Malware.LINUX/Mirai.ujfsl

Ikarus : Trojan.Linux.Mirai

ZoneAlarm : HEUR:Backdoor.Linux.Mirai.b

Avira : LINUX/Mirai.ujfsl

AVG : ELF:Mirai-NL [Trj]

AegisLab : Trojan.Linux.Mirai.K!c

TrendMicro : Possible_MIRAI.SMLBO13

Symantec : Linux.Mirai

GData : Linux.Trojan.Agent.KAWNYS

Data Explore


Paths

/var/tmp/

/var/

/root/

/dev/shm/

/bin/busybox

/dev/null

IPs (v4 and v6)

1.9.1.1

Code Explore


Nucleus

Eh_frame

Sandbox (user)


Standard output

Standard error

Illegal instruction

Sandbox (root)


Standard output

Standard error

Illegal instruction

Behavior


User behavior

Errors


Illegal instruction
True

Syscalls


Unique
execve


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Empty trace

True

Max sleep

-1.0



Root behavior

Errors


Illegal instruction
True

Syscalls


Unique
commit_creds
execve


Unique number
2

Total number
2

Number of processes

1

Trace lines lost

0

Max sleep

-1.0