Sample : c532a79dd78230d88413d86ae9abfeefcb70f0b045c1638bdf8737ac0f022bd2

Summary


OS ABI

UNIX - Linux
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
CPU type

Intel 80386
Entropy

7.87530844611
Syscalls executed (root)

99083
Syscalls executed (user)

432506
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - Linux
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0xc07be0
Number of segments

3
Number of sections

0
Program header table offset

52
Section header table offset

0
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

0
Section header table - index sections names

0
Stripped

True
Sections stripped

True
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 7.877497
Memory size doubles physical size : PT_LOAD at offset 0xe80


Sections
Section header table offset empty : True
Number of section headers empty : True


Debug information

False

Hash


MD5

97f417893f2a4a36cf1c439c693e0608
SHA1

45bc457a49f0fc7261d10b8a83c11050772d904e
SHA256

c532a79dd78230d88413d86ae9abfeefcb70f0b045c1638bdf8737ac0f022bd2
SHA512

193d0fddd71ec8f37e172594832a3c0538010db66a42b1f7006223f4b3e0e1f1ca98e499eb963e072faa4b4fc46d319aae226d392c8071a3b3c757eca14ebfbf
ssdeep

384:MqMzN8f05Rpjk5Yfo2xZUzKmQAHHOvgm0PtsgV9Jz8Uaux7+fqSB+tyXEFsZRu06:WN8fWlfowmQA3V9qFmSBivFWkEn0T

Bytes


Entropy

7.87530844611
Min entropy (16KB blocks)

7.86632951075
Max entropy (16KB blocks)

7.86632951075
Unique bytes (0-255)

256
Null bytes

435
White spaces

1022
Printable bytes

11692
First 16B

7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
Last 16B

a8 00 00 00 dc f7 00 00 49 00 00 12 a0 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x7a

Length : 19

Three rarest bytes

0x9d - 45 times

0xf5 - 45 times

0xb1 - 40 times

Three most common bytes

0x0 - 435 times

0x1 - 300 times

0x89 - 285 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/c532a79dd78230d88413d86ae9abfeefcb70f0b045c1638bdf8737ac0f022bd2
Positive

5
Total AVs

59
Scan date

2019-04-15 14:07:05
AVClass

mirai
Detection

Fortinet : ELF/Mirai.AT!tr

ESET-NOD32 : a variant of Linux/Mirai.A

Tencent : Trojan.Linux.Mirai.cj

ZoneAlarm : HEUR:Backdoor.Linux.Mirai.b

Kaspersky : HEUR:Backdoor.Linux.Mirai.b

Data Explore


Paths

/proc/

/proc/self/exe

URLs

http://upx.sf.net

IPs (v4 and v6)

5::

Code Explore


Nucleus

Number of functions : 0

Eh_frame

Sandbox (user)


Standard output

Success~Yeah~UN~stable
Standard error

Sandbox (root)


Standard output

Success~Yeah~UN~stable
Standard error

Behavior


User behavior

Syscalls


Unique
fcntl
rt_sigaction
mprotect
brk
connect
getsockname
close
open
select
getsockopt
getdents
rt_sigprocmask
send
write
setsid
exit
getpid
munmap
fstat
listen
fork
read
getppid
readlink
recv
execve
setsockopt
socket
bind
times
recvfrom
time
kill
nanosleep


Unique number
34

Total number
432506

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Permission related errors

True

Type of permission related error


EPERM
True

Number of processes

29

Trace lines lost

0

Dropped files


Modify
/dev/misc/watchdog
/dev/watchdog


Files being read

/proc/506/exe

/proc/831/fd

/proc/806/exe

/proc/810/exe

/proc/505/exe

/proc/569/exe

/proc/net/tcp

/proc/808/exe

/lib/systemd/systemd

/proc/468/exe

/proc/514/exe

/proc/594/exe

/proc/860/exe

/proc/811/exe

/proc/831/exe

/proc/

/proc/860/fd

/proc/810/fd

/proc/857/fd

/proc/859/fd

/proc/830/exe

/usr/lib/systemtap/stapio

/proc/862/fd

/proc/587/exe

Max sleep

60.0



Root behavior

Syscalls


Unique
fcntl
rt_sigaction
mprotect
brk
connect
getsockname
close
open
select
getsockopt
getdents
rt_sigprocmask
send
write
setsid
exit
getpid
munmap
fstat
listen
fork
read
commit_creds
getppid
readlink
recv
execve
setsockopt
socket
bind
times
recvfrom
time
kill
nanosleep


Unique number
35

Total number
99083

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

7

Trace lines lost

0

Dropped files


Modify
/dev/misc/watchdog
/dev/watchdog


Files being read

/proc/749/exe

/proc/602/exe

/proc/479/fd

/proc/740/fd

/proc/477/fd

/proc/1/fd

/proc/742/fd

/proc/599/exe

/usr/sbin/irqbalance

/proc/net/tcp

/proc/602/fd

/proc/742/exe

/proc/749/fd

/usr/sbin/sshd

/lib/systemd/systemd

/proc/765/exe

/proc/767/fd

/proc/477/exe

/proc/225/fd

/lib/systemd/systemd-logind

/proc/764/fd

/proc/740/exe

/proc/755/fd

/proc/743/fd

/proc/765/fd

/proc/768/fd

/sbin/agetty

/proc/474/exe

/usr/sbin/rsyslogd

/proc/743/exe

/proc/722/exe

/proc/673/exe

/usr/lib/accountsservice/accounts-daemon

/proc/

/proc/599/fd

/usr/bin/dbus-daemon

/proc/469/fd

/proc/188/fd

/proc/479/exe

/usr/lib/systemtap/stapio

/proc/762/fd

/proc/587/fd

/proc/474/fd

/proc/469/exe

/proc/769/exe

Max sleep

5.0