Sample : be944c3856afd847ffc3449f9b6616d09ef170bd67d6ce9ccb79995df159b7fe

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
CPU type

Intel 80386
Entropy

6.46071868397
Syscalls executed (root)

21223
Syscalls executed (user)

19654
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0x8048168
Number of segments

3
Number of sections

10
Program header table offset

52
Section header table offset

1924368
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

10
Section header table - index sections names

9
Stripped

True
Sections stripped

False
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 6.468643


Sections
Uncommon sections : section without a name


Debug information

False

Hash


MD5

4985b577f3e80373e2a9b3d58124912b
SHA1

ad8a0eb375e8fcefd5dbcc150669de9ffff59b35
SHA256

be944c3856afd847ffc3449f9b6616d09ef170bd67d6ce9ccb79995df159b7fe
SHA512

6392b953cf972a6510fe2e5e7bd8ebf5774f56a89ed81d5794e27ce1c1bc2ad9735888b996e011d3cb848a8a83f98f8791bde98f2bd0172f825a5b87cd650dd2
ssdeep

49152:OvGOoE7vs2ndlWoFDCK11EJSCO2f0LBdP8HjL7ywcNF2x:OvlvjnjWoFDCKQJSCO2mBdPaL73cw

Bytes


Entropy

6.46071868397
Min entropy (16KB blocks)

4.39429502123
Max entropy (16KB blocks)

7.4520653549
Unique bytes (0-255)

256
Null bytes

270912
White spaces

46622
Printable bytes

517803
First 16B

7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x188902

Length : 1025

Three rarest bytes

0xd5 - 884 times

0xa2 - 850 times

0xad - 811 times

Three most common bytes

0x0 - 270912 times

0x89 - 108206 times

0xff - 102746 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/be944c3856afd847ffc3449f9b6616d09ef170bd67d6ce9ccb79995df159b7fe
Positive

25
Total AVs

59
Scan date

2018-05-21 14:52:56
AVClass

mirai
Detection

Symantec : Linux.Mirai

AegisLab : Backdoor.Linux.Mirai!c

Sophos : Mal/Generic-S

ClamAV : Unix.Trojan.Mirai-5678467-0

Microsoft : Backdoor:Linux/Mirai!rfn

Zillya : Backdoor.Mirai.Linux.5465

Antiy-AVL : Trojan[Backdoor]/Linux.Mirai.f

Qihoo-360 : Win32/Backdoor.cf3

Ikarus : Trojan.Linux.Mirai

Cyren : ELF/Trojan.IEHG-6

Avast : ELF:Mirai-A [Trj]

Kaspersky : HEUR:Backdoor.Linux.Mirai.f

Avast-Mobile : ELF:Mirai-C [Trj]

AVG : ELF:Mirai-A [Trj]

Jiangmin : Backdoor.Linux.assj

DrWeb : Linux.Mirai.979

ESET-NOD32 : a variant of Linux/Mirai.A

TrendMicro : Possible_MIRAI.SMLBQ1

GData : Linux.Trojan.Mirai.B

TrendMicro-HouseCall : Possible_MIRAI.SMLBQ1

Avira : LINUX/Mirai.wtjti

Tencent : Linux.Backdoor.Mirai.Pegb

ZoneAlarm : HEUR:Backdoor.Linux.Mirai.f

MAX : malware (ai score=94)

Fortinet : ELF/Mirai.A!tr

Data Explore


Paths

~/9

~/<9

/proc/net/tcp

/dev/watchdog

/dev/misc/watchdog

/root/

/root/

/root/

/root/

/root/

/root/

/lib/engines-1.1

/dev/urandom

/dev/random

/dev/srandom

/dev/tty

/dev/null

/etc/services

/etc/resolv.conf

/etc/config/resolv.conf

/etc/hosts

/etc/config/hosts

URLs

https://www.openssl.org/docs/faq

IPs (v4 and v6)

::

::

::

::

Code Explore


Nucleus

Number of functions : 5626

Total size functions [B] : 17489840

Average size a function [B] : 3108.75222183

Percentage of covered .text section : 1116.44806682

Percentage of covered LOAD segment : 908.894568305

Eh_frame

Sandbox (user)


Standard output

listening tun0 5
Standard error

Sandbox (root)


Standard output

listening tun0 5
Standard error

Behavior


User behavior

Syscalls


Unique
fork
rt_sigaction
kill
connect
getsockname
prctl
close
open
select
recvfrom
shmget
getsockopt
getdents
recv
rt_sigprocmask
send
write
setsid
exit
getpid
fstat
listen
fcntl
read
getppid
ioctl
readlink
sigreturn
execve
setsockopt
socket
bind
times
pipe
time
brk
nanosleep


Unique number
37

Total number
19654

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Permission related errors

True

Type of permission related error


EACCES
True

Number of processes

3

Trace lines lost

0

Dropped files


Modify
/dev/misc/watchdog
/dev/watchdog


Files being read

/proc/

/proc/858/exe

/proc/811/exe

/proc/506/exe

/lib/systemd/systemd

/proc/777/exe

/proc/468/exe

/proc/854/exe

/proc/514/exe

/proc/587/exe

/proc/831/exe

/proc/594/exe

/usr/lib/systemtap/stapio

/proc/810/exe

/proc/505/exe

/proc/830/exe

/proc/569/exe

/proc/837/exe

/proc/808/exe

Max sleep

5.0

Process renaming

p4j7grf5rq5hq8t

Ioctls


Total
4

Success
SIOCGIFCONF
SIOCGIFHWADDR


Fail
TCGETS




Root behavior

Syscalls


Unique
fork
rt_sigaction
kill
connect
getsockname
prctl
close
open
select
recvfrom
shmget
getsockopt
getdents
recv
rt_sigprocmask
send
write
setsid
exit
getpid
fstat
listen
fcntl
read
commit_creds
getppid
ioctl
readlink
sigreturn
execve
setsockopt
socket
bind
times
pipe
time
brk
nanosleep


Unique number
38

Total number
21223

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

3

Trace lines lost

0

Dropped files


Modify
/dev/misc/watchdog
/dev/watchdog


Files being read

/proc/602/exe

/proc/673/exe

/proc/748/exe

/proc/599/exe

/proc/754/exe

/usr/sbin/irqbalance

/proc/742/exe

/usr/sbin/sshd

/lib/systemd/systemd

/proc/477/exe

/lib/systemd/systemd-logind

/proc/762/exe

/proc/739/exe

/sbin/agetty

/proc/474/exe

/usr/lib/accountsservice/accounts-daemon

/proc/

/usr/sbin/rsyslogd

/usr/bin/dbus-daemon

/proc/741/exe

/proc/479/exe

/usr/lib/systemtap/stapio

/proc/587/exe

/proc/703/exe

/proc/469/exe

Max sleep

5.0

Process renaming

spti6olnhkb5j4q

Ioctls


Total
4

Success
SIOCGIFCONF
SIOCGIFHWADDR


Fail
TCGETS