Sample : ec9a5f8b8a88970066cab31cb0126b54bc0d69e9a17c94d2d1adaa4d2243870d

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
CPU type

Intel 80386
Entropy

6.44030202822
Syscalls executed (root)

21
Syscalls executed (user)

20
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

Intel 80386
Link

static
Entrypoint

0x8048164
Number of segments

3
Number of sections

10
Program header table offset

52
Section header table offset

38528
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

10
Section header table - index sections names

9
Stripped

True
Sections stripped

False
Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 6.470759
Memory size doubles physical size : PT_LOAD at offset 0x94e4


Sections
Uncommon sections : section without a name
High entropy : .text - 6.486859


Debug information

False

Hash


MD5

5c1a569d61ab98e22208d8950437aca7
SHA1

a69b596ca08aa823989cf4cefcdbd4ed35fcabec
SHA256

ec9a5f8b8a88970066cab31cb0126b54bc0d69e9a17c94d2d1adaa4d2243870d
SHA512

3ca53cc8579b6e5dbaf83a718a7aabd5368efc8388b2325f48e816ca71f04483f9a16f504a8d81ba73bd816665b20169d69698669efacfd0f0ecb71a4a3ddb31
ssdeep

768:OZ8NJO9F9/f1nzQeyNvS8vWlWbN30cw24zm5gZeaXJ:OZ6JOP9/fdQIv437FAm5g8aX

Bytes


Entropy

6.44030202822
Min entropy (16KB blocks)

6.42208523761
Max entropy (16KB blocks)

6.45282436446
Unique bytes (0-255)

256
Null bytes

5594
White spaces

1055
Printable bytes

10142
First 16B

7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x91d7

Length : 267

Three rarest bytes

0xd7 - 9 times

0x63 - 8 times

0xb3 - 6 times

Three most common bytes

0x0 - 5594 times

0xff - 1896 times

0x24 - 1633 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/ec9a5f8b8a88970066cab31cb0126b54bc0d69e9a17c94d2d1adaa4d2243870d
Positive

7
Total AVs

55
Scan date

2019-04-12 07:59:24
AVClass

mirai
Detection

Fortinet : ELF/Mirai.AT!tr

DrWeb : Linux.Mirai.2052

TrendMicro-HouseCall : Possible_MIRAI.SMLBO13

ZoneAlarm : HEUR:Backdoor.Linux.Mirai.b

AegisLab : Trojan.Linux.Mirai.K!c

SentinelOne : DFI - Malicious ELF

Kaspersky : HEUR:Backdoor.Linux.Mirai.b

Data Explore


Paths

/dev/null

IPs (v4 and v6)

142.93.90.95

Code Explore


Nucleus

Number of functions : 124

Total size functions [B] : 62536

Average size a function [B] : 504.322580645

Percentage of covered .text section : 174.847620645

Percentage of covered LOAD segment : 162.600104004

Eh_frame

Sandbox (user)


Standard output

Standard error

Segmentation fault

Sandbox (root)


Standard output

Standard error

Segmentation fault

Behavior


User behavior

Errors


Segmentation fault
True

Syscalls


Unique
fcntl
setsockopt
socket
rt_sigaction
bind
rt_sigprocmask
getppid
getpid
times
brk
connect
getsockname
time
close
execve
listen


Unique number
16

Total number
20

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Max sleep

-1.0



Root behavior

Errors


Segmentation fault
True

Syscalls


Unique
fcntl
setsockopt
socket
rt_sigaction
commit_creds
rt_sigprocmask
time
getppid
getpid
times
brk
connect
getsockname
bind
close
execve
listen


Unique number
17

Total number
21

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Max sleep

-1.0