Sample:

b8d6b7eb1f3f10e8e829d0bafaaba182e60b7597eace99846b76773fd6779afb



Summary

OS ABI: UNIX - Linux

CPU class: 32 bit

Persistence (user): No

Persistence (root): No

CPU byte order: 2's complement LSB

File type: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped

CPU type: Intel 80386

Entropy: 7.87655719335

Syscalls executed (root): 26

Syscalls executed (user): 25

ELF type: Executable file

ELF

Class: 32 bit

Data encoding: 2's complement LSB

Operating system ABI: UNIX - Linux

Object file type: Executable file

ELF version: 0.1

Machine: Intel 80386

Link: static

Entrypoint: 0xc06dd0

Number of segments: 3

Number of sections: 0

Program header table offset: 52

Section header table offset: 0

Program header table - size of entry: 32

Section header table - size of entry: 40

Program header table - entries: 3

Section header table - entries: 0

Section header table - index sections names: 0

Stripped: True

Sections stripped: True

  • PT_LOAD at offset 0x0 - 7.881539
  • PT_LOAD at offset 0x920

Section header table offset empty: True

Number of section headers empty: True

Debug information: False

Hash

MD5: a7dbd8a978c746107c9f00f58da23541

SHA1: 0b2bfea5c1037c68a047913d2c54dd66073145e2

SHA256: b8d6b7eb1f3f10e8e829d0bafaaba182e60b7597eace99846b76773fd6779afb

SHA512: f2db1157c12a8c1707f3808334af967a7d17c7ea4321a3ae98f60386084649c77a2051e57b6909d4a68425f67ed99855219308492756c4eae0b2eb099cb22ca3

ssdeep: 384:M4yQpEKtpgy8AK+z3p+Ddttetxut0cOybZto5K2f0cneZFQETEax/jj8TVU+v1RX:/8D+bp+Li3cOybHuKwneZdTr/sBPX

Bytes

Entropy: 7.87655719335

Min entropy (16KB blocks): 7.86871383895

Max entropy (16KB blocks): 7.86871383895

Unique bytes (0-255): 256

Null bytes: 444

White spaces: 1009

Printable bytes: 9595

First 16B: 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00

Last 16B: ad 00 00 00 70 03 01 00 46 06 00 3e a0 00 00 00

Byte: 0x0

Offset: 0x7a

Length: 19

  • 0x71 - 47 times
  • 0xf5 - 41 times
  • 0xe5 - 37 times
  • 0x0 - 444 times
  • 0x1 - 274 times
  • 0x20 - 265 times

File type

Mime type: application/x-executable

File type: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped

VirusTotal

URL: https://www.virustotal.com/#/file/b8d6b7eb1f3f10e8e829d0bafaaba182e60b7597eace99846b76773fd6779afb

Positive: 18

Total AVs: 60

Scan date: 2018-06-21 04:07:56

AVClass: mirai

Symantec: Linux.Mirai

McAfee: RDN/Generic BackDoor

AegisLab: Backdoor.Linux.Mirai!c

Jiangmin: Backdoor.Linux.avjd

Fortinet: ELF/Mirai.AT!tr

Ikarus: Trojan.Linux.Mirai

ESET-NOD32: a variant of Linux/Mirai.L

DrWeb: Linux.Mirai.793

TrendMicro: TROJ_GEN.R002C0OFK18

Qihoo-360: Win32/Backdoor.996

TrendMicro-HouseCall: TROJ_GEN.F04JC00FL18

Avira: LINUX/Mirai.ceukf

Sophos: Mal/Generic-S

ZoneAlarm: HEUR:Backdoor.Linux.Mirai.ad

NANO-Antivirus: Trojan.Elf32.Mirai.fehkiu

Cyren: ELF/Trojan.NMFE-14

Kaspersky: HEUR:Backdoor.Linux.Mirai.ad

GData: Linux.Trojan.Agent.01D0TH

Data Explore

  • /proc/sm
  • http://upx.sf.net

Code Explore

Number of functions: 0

Sandbox (user)

Standard output:

Standard error: Segmentation fault

Sandbox (root)

Standard output:

Standard error: Segmentation fault

Behavior

Segmentation fault: True

  • fcntl
  • setsockopt
  • socket
  • rt_sigaction
  • bind
  • mprotect
  • time
  • getppid
  • getpid
  • times
  • brk
  • connect
  • getsockname
  • close
  • readlink
  • munmap
  • rt_sigprocmask
  • execve
  • listen

Unique number: 19

Total number: 25

  • strchr

Unique number: 1

Total number: 1

Number of processes: 1

Trace lines lost: 0

Max sleep: -1.0

Segmentation fault: True

  • fcntl
  • setsockopt
  • bind
  • socket
  • rt_sigaction
  • commit_creds
  • mprotect
  • time
  • getppid
  • getpid
  • times
  • readlink
  • connect
  • getsockname
  • close
  • brk
  • munmap
  • rt_sigprocmask
  • execve
  • listen

Unique number: 20

Total number: 26

  • strchr

Unique number: 1

Total number: 1

Number of processes: 1

Trace lines lost: 0

Max sleep: -1.0