Sample : f665b09d17f307d7269fd66a5d5950e89044375576f8856ee6b426053cf8b21f

Summary


OS ABI

UNIX - System V
CPU class

32 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
CPU type

ARM 32-bit
Entropy

5.97042581924
Syscalls executed (root)

2
Syscalls executed (user)

1
ELF type

Executable file

ELF


Class

32 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

ARM 32-bit
Link

static
Entrypoint

0x8154
Number of segments

3
Number of sections

12
Program header table offset

52
Section header table offset

58732
Program header table - size of entry

32
Section header table - size of entry

40
Program header table - entries

3
Section header table - entries

12
Section header table - index sections names

11
Stripped

True
Sections stripped

False
Anomalies


Segments
W^X permission : PT_GNU_STACK at offset 0x0
Memory size doubles physical size : PT_LOAD at offset 0xe2d0


Sections
Uncommon sections : section without a name


Debug information

False
Readelf errors

readelf: Error: Unused bytes at end of section

Hash


MD5

928a00f3907f1e5aca4f9e7efef356d7
SHA1

d18d7d6bd01ae6e04b5ce8f0cca6dec8bdf96ca6
SHA256

f665b09d17f307d7269fd66a5d5950e89044375576f8856ee6b426053cf8b21f
SHA512

d573408af8b0991586fcff8bee26175d935b5e728563156094997b2d0175ce2ebd332ee1d7c59df45b3ac5963fda74faa556185833903998f96b75a83949c5e2
ssdeep

1536:d9n5zBXsKjDuWjHYbMXH6Zmyyv1iOL6xL3I4ifnboXWV1:1B8K/7HCMXaNSkonboXWV1

Bytes


Entropy

5.97042581924
Min entropy (16KB blocks)

5.86887765412
Max entropy (16KB blocks)

5.98402851545
Unique bytes (0-255)

256
Null bytes

9750
White spaces

3222
Printable bytes

9731
First 16B

7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Last 16B

00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0xe1b4

Length : 269

Three rarest bytes

0xa7 - 7 times

0xb7 - 7 times

0xa6 - 6 times

Three most common bytes

0x0 - 9750 times

0xa0 - 3421 times

0xe1 - 2948 times

File type


Mime type

application/x-executable
File type

ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/f665b09d17f307d7269fd66a5d5950e89044375576f8856ee6b426053cf8b21f
Positive

25
Total AVs

59
Scan date

2018-03-24 14:55:14
AVClass

mirai
Detection

Kaspersky : HEUR:Backdoor.Linux.Mirai.ba

GData : Linux.Trojan.Agent.JCRRVD

Jiangmin : Backdoor.Linux.anjm

NANO-Antivirus : Trojan.Mirai.exuigj

ESET-NOD32 : a variant of Linux/Mirai.AT

Avast-Mobile : ELF:Mirai-ID [Trj]

Qihoo-360 : Win32/Trojan.e4f

Ikarus : Trojan.Linux.Mirai

Antiy-AVL : Trojan[Backdoor]/Linux.Mirai.b

Microsoft : Backdoor:Linux/Mirai!rfn

Avast : ELF:Mirai-ID [Trj]

AVG : ELF:Mirai-ID [Trj]

McAfee-GW-Edition : RDN/Generic BackDoor

Avira : LINUX/Mirai.vtoyn

Cyren : ELF/Trojan.OBPW-5

ZoneAlarm : HEUR:Backdoor.Linux.Mirai.ba

Sophos : Mal/Generic-S

McAfee : RDN/Generic BackDoor

Fortinet : ELF/Mirai.AE!tr

AegisLab : Backdoor.Linux.Mirai!c

Tencent : Linux.Backdoor.Mirai.Hsik

DrWeb : Linux.Mirai.791

Symantec : Linux.Mirai

TrendMicro-HouseCall : ELF_MIRAI.SMT32

TrendMicro : ELF_MIRAI.SMT32

Data Explore


Paths

/proc/stat

/proc/cpuinfo

/sys/devices/system/cpu

/dev/null

IPs (v4 and v6)

174.138.8.34

Code Explore


Nucleus

Eh_frame

Sandbox (user)


Standard output

Standard error

Segmentation fault

Sandbox (root)


Standard output

Standard error

Segmentation fault

Behavior


User behavior

Errors


Segmentation fault
True

Syscalls


Unique
execve


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Empty trace

True

Max sleep

-1.0



Root behavior

Errors


Segmentation fault
True

Syscalls


Unique
commit_creds
execve


Unique number
2

Total number
2

Number of processes

1

Trace lines lost

0

Max sleep

-1.0