Sample : bb20601b2b1162d5109dc1373b3af0434c5dde63a72986565afd2ba9bbde1874

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement MSB
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
CPU type

MIPS I
Entropy

5.35034002704
Syscalls executed (root)

15
Syscalls executed (user)

14
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement MSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

MIPS I
Link

static
Entrypoint

0x400260
Number of segments

3
Number of sections

14
Program header table offset

52
Section header table offset

62824
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

14
Section header table - index sections names

13
Stripped

True
Sections stripped

False
Anomalies


Segments
W^X permission : PT_GNU_STACK at offset 0x0


Sections
Uncommon sections : .mdebug.abi32
.sbss
section without a name


Debug information

False

Hash


MD5

74c9bb16f5564476a0ac16a4327091d8
SHA1

209ba5342a87627944c7a03ea34e5efdc7e56b39
SHA256

bb20601b2b1162d5109dc1373b3af0434c5dde63a72986565afd2ba9bbde1874
SHA512

5539a308ca180c3c66df45bf30c1ee7e5592b800e24a1e5d99af46c66baf80992eaccaa26ae47ef1f5a352d5b9c402a5f8fbfdd4a80f06671384cf6c235472b5
ssdeep

1536:AwZDllDaxU/R9+kVihZRyu5pA8x+ON8n2iAcpg+5OqqgI:/ZDjDgS4Z/jAijN4AcpHOf5

Bytes


Entropy

5.35034002704
Min entropy (16KB blocks)

5.26631596825
Max entropy (16KB blocks)

5.42441180138
Unique bytes (0-255)

256
Null bytes

17781
White spaces

3647
Printable bytes

11414
First 16B

7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0xeea1

Length : 352

Three rarest bytes

0x9a - 2 times

0x5a - 1 times

0xe1 - 1 times

Three most common bytes

0x0 - 17781 times

0x8f - 3126 times

0x20 - 2209 times

File type


Mime type

application/x-executable
File type

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/bb20601b2b1162d5109dc1373b3af0434c5dde63a72986565afd2ba9bbde1874
Positive

23
Total AVs

55
Scan date

2018-03-23 19:39:55
AVClass

mirai
Detection

TrendMicro-HouseCall : TROJ_GEN.F04JC00C918

Jiangmin : Backdoor.Linux.xvl

NANO-Antivirus : Trojan.Mirai.eytmgw

ESET-NOD32 : a variant of Linux/Mirai.AT

Qihoo-360 : Win32/Trojan.78f

Avast-Mobile : ELF:Mirai-ID [Trj]

GData : Linux.Trojan.Agent.Z3LMKV

Antiy-AVL : Trojan[Backdoor]/Linux.Mirai.b

Microsoft : Backdoor:Linux/Mirai!rfn

Avast : ELF:Mirai-HU [Trj]

AegisLab : Backdoor.Linux.Mirai!c

Comodo : .UnclassifiedMalware

Kaspersky : HEUR:Backdoor.Linux.Mirai.ba

Avira : LINUX/Mirai.xxjva

Cyren : ELF/Trojan.XSEO-1

ZoneAlarm : HEUR:Backdoor.Linux.Mirai.ba

Sophos : Mal/Generic-S

TrendMicro : TROJ_GEN.F04JC00C918

Fortinet : Linux/Mirai.AT!tr

AVG : ELF:Mirai-HU [Trj]

Tencent : Linux.Backdoor.Mirai.Aisf

DrWeb : Linux.Mirai.20

Symantec : Linux.Mirai

Data Explore


Paths

/dev/null

IPs (v4 and v6)

159.89.182.27

Code Explore


Nucleus

Eh_frame

Sandbox (user)


Standard output

Standard error

Segmentation fault

Sandbox (root)


Standard output

Standard error

Segmentation fault

Behavior


User behavior

Errors


Segmentation fault
True

Syscalls


Unique
socket
rt_sigaction
rt_sigprocmask
getppid
times
brk
connect
getsockname
time
close
execve
getpid


Unique number
12

Total number
14

Number of processes

1

Trace lines lost

0

Max sleep

-1.0



Root behavior

Errors


Segmentation fault
True

Syscalls


Unique
socket
rt_sigaction
commit_creds
rt_sigprocmask
getppid
times
brk
connect
getsockname
time
close
execve
getpid


Unique number
13

Total number
15

Number of processes

1

Trace lines lost

0

Max sleep

-1.0