MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11696fec138919ea3de0edcca4b34d8f1f6abeb5430a5e6cdcacbafd43d45a0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash: 11696fec138919ea3de0edcca4b34d8f1f6abeb5430a5e6cdcacbafd43d45a0d
SHA3-384 hash: 6189632a6cf56900673b028b19021d888b435232ff58a7a08f8066d954ebba31993ba68f1904fc1e04ff168c1e880ae7
SHA1 hash: 155db6d421948a5a75d2fc980c77b4e8d8583bde
MD5 hash: 5ff789b520cf1b1d81f87eba295c25ba
humanhash: montana-cold-angel-winter
File name:jklx86
Download: download sample
Signature Mirai
File size:58'000 bytes
First seen:2024-04-14 14:50:08 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:2CTEI1vjzOe9XDfugr1fFiNGkbkv0GbI5w4ljyoQRN:2CAkvjzH9T2gxfFiNGE9GbISAjA
TLSH T1404328C8A913D8F5EC25053424B3E7724631F5391029FA93DB99DE26BC42F22BD4639D
telfhash t1d421d5f23dbe09f9f3c59848834e5e511a29e27f2eb137e00572a01533e3e81446ac3a
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter elfdigest
Tags:mirai

Intelligence


File Origin
# of uploads :
1
# of downloads :
99
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Receives data from a server
Runs as daemon
DNS request
Opens a port
Creating a file
Sends data to a server
Connection attempt
Substitutes an application name
Performs a bruteforce attack in the network
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
anti-debug
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
205.209.114.243:80
Number of open files:
11
Number of processes launched:
5
Processes remaning?
true
Remote TCP ports scanned:
23
Behaviour
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
type:Mirai 85.204.116.22:38241
UDP botnet C2(s):
not identified
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1425777 Sample: jklx86.elf Startdate: 14/04/2024 Architecture: LINUX Score: 60 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Machine Learning detection for sample 2->28 8 jklx86.elf 2->8         started        process3 process4 10 jklx86.elf 8->10         started        process5 12 jklx86.elf 10->12         started        14 jklx86.elf 10->14         started        16 jklx86.elf 10->16         started        18 2 other processes 10->18 process6 20 jklx86.elf 12->20         started        22 jklx86.elf 14->22         started       
Threat name:
Linux.Trojan.Mirai
Status:
Malicious
First seen:
2024-04-13 18:51:32 UTC
File Type:
ELF32 Little (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery linux
Behaviour
Reads runtime system information
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Changes its process name
Modifies Watchdog functionality
Renames itself
Unexpected DNS network traffic destination
Contacts a large (86541) amount of remote hosts
Creates a large amount of network flows
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Trojan_Mirai_88de437f
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Author:Elastic Security
Rule name:maldoc_getEIP_method_1
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Author:Willi Ballenthin
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 11696fec138919ea3de0edcca4b34d8f1f6abeb5430a5e6cdcacbafd43d45a0d

(this sample)

  
Delivery method
Distributed via web download

Comments