Sample : a7223b91b5a0f244dca85bf6435610cba04efc1a965c911c9e8b334ecc2bbc07

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement MSB
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, corrupted section header size
CPU type

MIPS I
Entropy

5.36041168142
Syscalls executed (root)

26
Syscalls executed (user)

25
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement MSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

MIPS I
Link

static
Entrypoint

0x400260
Number of segments

3
Number of sections

0
Program header table offset

52
Section header table offset

38172
Program header table - size of entry

32
Section header table - size of entry

0
Program header table - entries

3
Section header table - entries

0
Section header table - index sections names

0
Stripped

True
Sections stripped

True
Anomalies


Segments
W^X permission : PT_GNU_STACK at offset 0x0


Sections
Number of section headers empty : True
Size of section header table's entry null : True


Debug information

False
GDB errors

"/tmp/tmp.8PWejxNUhS/a7223b91b5a0f244dca85bf6435610cba04efc1a965c911c9e8b334ecc2bbc07": not in executable format: File format not recognized
Readelf errors

readelf: Warning: possibly corrupt ELF file header - it has a non-zero section header offset, but no section headers

Hash


MD5

47ba65d595e9fd273d74bc54bb36eac9
SHA1

da7e84b4dbfab58fbee6641b24e77cee5952ff45
SHA256

a7223b91b5a0f244dca85bf6435610cba04efc1a965c911c9e8b334ecc2bbc07
SHA512

7255ccd8993e641a13b3cfd2678614813b743d160e90d0641ae2b356d318c534660b414c82a766d70804324b20d8be3704ec29e250ef43c77572c17e7c615e74
ssdeep

768:xFIEjrGNs4JHNvzOYhPdIno96ho9wKLoR6q6ICbRvVNDnAd:xhjrGZVkc8MIMvvDnAd

Bytes


Entropy

5.36041168142
Min entropy (16KB blocks)

5.1164349464
Max entropy (16KB blocks)

5.25712810613
Unique bytes (0-255)

252
Null bytes

11834
White spaces

2022
Printable bytes

8306
First 16B

7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x8c61

Length : 928

Three rarest bytes

0x9b - 0 times

0xd3 - 0 times

0xeb - 0 times

Three most common bytes

0x0 - 11834 times

0x8f - 1552 times

0x10 - 1318 times

File type


Mime type

application/x-executable
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, corrupted section header size

VirusTotal


URL

https://www.virustotal.com/#/file/a7223b91b5a0f244dca85bf6435610cba04efc1a965c911c9e8b334ecc2bbc07
Positive

19
Total AVs

58
Scan date

2018-10-04 22:06:46
AVClass

mirai
Detection

Cyren : ELF/Trojan.PODQ-3

Kaspersky : HEUR:Backdoor.Linux.Agent.bm

Qihoo-360 : Win32/Backdoor.eec

Tencent : Trojan.Linux.Mirai.twa

DrWeb : Linux.Mirai.674

AegisLab : Backdoor.Linux.Agent!c

Zillya : Backdoor.Agent.Linux.55

Fortinet : ELF/Mirai.B!tr

Sophos : Mal/Generic-S

Avast : ELF:Mirai-JR [Trj]

Ikarus : LINUX.Agent

NANO-Antivirus : Trojan.Mirai.eytxcs

AVG : ELF:Mirai-JR [Trj]

Avira : LINUX/Agent.tdlfg

Jiangmin : Backdoor.Linux.atxu

Symantec : Trojan.Gen.2

Avast-Mobile : ELF:Mirai-LK [Trj]

ZoneAlarm : HEUR:Backdoor.Linux.Agent.bm

Comodo : UnclassifiedMalware

Data Explore


Paths

/dev/null

URLs

http://schemas.xmlsoap.org/soap/envelope/

http://schemas.xmlsoap.org/soap/envelope/

http://schemas.xmlsoap.org/soap/envelope/

Code Explore


Nucleus

Eh_frame

Sandbox (user)


Standard output

Standard error

Sandbox (root)


Standard output

Standard error

Behavior


User behavior

Syscalls


Unique
fork
chdir
socket
rt_sigaction
getppid
kill
times
connect
setsid
exit
brk
getpid
getsockname
time
close
unlink
sysinfo
execve
ptrace


Unique number
19

Total number
25

Number of processes

2

Trace lines lost

0

Max sleep

-1.0

Ptrace requests

PTRACE_TRACEME

Unlink files

/tmp/a7223b91b5a0f244dca85bf6435610cba04efc1a965c911c9e8b334ecc2bbc07

Unlink itself

True



Root behavior

Syscalls


Unique
fork
chdir
socket
rt_sigaction
commit_creds
getppid
kill
times
connect
setsid
exit
brk
getpid
getsockname
time
close
unlink
sysinfo
execve
ptrace


Unique number
20

Total number
26

Number of processes

2

Trace lines lost

0

Max sleep

-1.0

Ptrace requests

PTRACE_TRACEME

Unlink files

/tmp/a7223b91b5a0f244dca85bf6435610cba04efc1a965c911c9e8b334ecc2bbc07

Unlink itself

True