Sample : eea519f25c8bbdca9c2a7a04e5697d408d4936a1d5612f044c2cdab49eb9f776

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
CPU type

ARM 32-bit
Entropy

6.01119715075
Syscalls executed (root)

512656
Syscalls executed (user)

170147
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

ARM 32-bit
Link

static
Entrypoint

0x8194
Number of segments

5
Number of sections

16
Program header table offset

52
Section header table offset

60732
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

5
Section header table - entries

16
Section header table - index sections names

15
Stripped

True
Sections stripped

False
Anomalies


Segments
W^X permission : PT_GNU_STACK at offset 0x0
Memory size doubles physical size : PT_LOAD at offset 0xe94c
PT_TLS at offset 0xe950


Sections
Uncommon sections : .tbss
section without a name


Debug information

False

Hash


MD5

4e84f9318fad6495cd9236e9225f6b31
SHA1

142026539f1531e926717776f4778eb8fb16e626
SHA256

eea519f25c8bbdca9c2a7a04e5697d408d4936a1d5612f044c2cdab49eb9f776
SHA512

76097d42583fc7d8e4c7c52fe276d6774b0595f70d7a03e2e7f0b8e512d4faab0e3d4c7ba7ff6722cabc99658bd0bc6abcdabc5720d9c90f036f7fbae33fdabf
ssdeep

1536:KynCOewIKNlP2+H91eK7xARxSj0iJwnnNlP1igwet1p:WbwIKNlR91xyRxSj0iJA7wefp

Bytes


Entropy

6.01119715075
Min entropy (16KB blocks)

5.7682120215
Max entropy (16KB blocks)

6.04952079575
Unique bytes (0-255)

256
Null bytes

10600
White spaces

2958
Printable bytes

9835
First 16B

7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0xe6e4

Length : 305

Three rarest bytes

0x7d - 11 times

0xb5 - 11 times

0xa6 - 7 times

Three most common bytes

0x0 - 10600 times

0xa0 - 3226 times

0xe1 - 2760 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/eea519f25c8bbdca9c2a7a04e5697d408d4936a1d5612f044c2cdab49eb9f776
Positive

9
Total AVs

52
Scan date

2019-08-20 18:43:16
AVClass

mirai
Detection

Ikarus : Trojan.Linux.Mirai

AVG : ELF:Mirai-ALN [Trj]

McAfee : RDN/Generic.grp

Qihoo-360 : LINUX/Trojan.bf7

AegisLab : Trojan.Linux.Mirai.K!c

Fortinet : ELF/Mirai.AE!tr

Avast-Mobile : ELF:Mirai-ALN [Trj]

Avast : ELF:Mirai-ALN [Trj]

ALYac : Backdoor.Linux.Mirai

Data Explore


Paths

/proc/stat

/proc/cpuinfo

/sys/devices/system/cpu

/dev/null

Code Explore


Nucleus

Eh_frame

Number of functions : 0

Sandbox (user)


Standard output

stresser.cc
Standard error

Sandbox (root)


Standard output

stresser.cc
Standard error

Behavior


User behavior

Syscalls


Unique
setuid
lseek
getdents
rt_sigaction
brk
connect
prctl
close
open
select
access
getsockopt
exit_group
nanosleep
send
write
setsid
setgid
getrlimit
fstat
setrlimit
fcntl
read
clone
getppid
gettimeofday
readlink
setgroups
unlink
recv
execve
wait4
setsockopt
socket
ioctl
times
recvfrom
ftruncate


Unique number
38

Total number
170147

Permission related errors

True

Type of permission related error


EPERM
True

Number of processes

5

Trace lines lost

0

Dropped files


Create
.korea
mp/eea519f25c8bbdca9c2a7a04e5697d408d4936a1d5612f044c2cdab49eb9f776


Files being read

/proc/

.korea

/proc/stat

Max sleep

1.0

Ioctls


Total
3

Fail
TCGETS


Unlink files

/tmp/eea519f25c8bbdca9c2a7a04e5697d408d4936a1d5612f044c2cdab49eb9f776

Unlink itself

True



Root behavior

Syscalls


Unique
setuid
lseek
getdents
rt_sigaction
brk
connect
prctl
close
open
select
access
getsockopt
exit_group
nanosleep
send
write
setsid
setgid
getrlimit
fstat
setrlimit
fcntl
read
commit_creds
clone
getppid
gettimeofday
readlink
setgroups
unlink
recv
execve
wait4
setsockopt
socket
ioctl
times
recvfrom
ftruncate


Unique number
39

Total number
512656

Number of processes

5

Trace lines lost

0

Dropped files


Create
.korea
mp/eea519f25c8bbdca9c2a7a04e5697d408d4936a1d5612f044c2cdab49eb9f776


Files being read

/proc/

.korea

/proc/stat

Max sleep

1.0

Ioctls


Total
3

Fail
TCGETS


Unlink files

/tmp/eea519f25c8bbdca9c2a7a04e5697d408d4936a1d5612f044c2cdab49eb9f776

Unlink itself

True