Failing to Analyze Hajime Mirai
The following is my attempt analyzing the Hajime Mirai variant, including wondering why ida wouldn’t disassemble, why upx wasn’t unpacking the malware sample, and what I learned over the process. The main reason why was I gave myself a one week crash course on malware analysis and looking into IOC and tried a live sample MJH and I pulled from a honeypot we have setup the past few weeks ago. I have learned many things despite my failings that is presented in this blog post.
Static analysis
The first thing when I downloaded the malware sample is to run strings and hexdump. It didn’t pull any significant information no tangible words other than the fact it was an elf file for linux. Digging though I than attempted to run through IDA on linux in an attempt to reverse it into assembly and then continued to struggle wondering why it wouldn’t open this led me into an adventure into packers.
Packers, UPX, unpacking, and a continued struggle session
I ran into the detect it easy packer for linux it a really good tool that reads the hex values and detects which packer is used if one is used. I figured the reason the malware wasn’t running was the fact that it was in a packer was encoding it preventing ida from doing it’s magic. That isn’t how it works, but I was on the right track about the packer being involved with malware. After using D.I.E (detect it easy) I was given this.
Figure 1 a snapshot of the packer upx as it’s packer.
So, simple enough I just have to run the sample though upx and we have our malware we can analyze, or at least that what I thought.
Figure 2 upx not detecting any packing.
So now I was confused for awhile now I was trying to play with LZMA part of it, but after awhile I figured I was just struggling to struggle and gave up.
Any run and trying to walk around the issue.
Now after some googling I know Hajime was based of Mirai, but there was a lot I didn’t know about Hajime, like how it was p2p iot botnet. It accessed and issued commands based on a Distributed Hash Table. So I figured I’d try to piggy back off other peoples work and dig into Hajime and other similar samples. Now there are Hajime samples on anyrun, but searching the hash leads to these results
Figure 3. everyone trying to run an elf binary on windows.
Eventually I found abuse.ch yara scanner and desided to throw it threw the yara scanner and it dumped out this.
Figure 4 yara results of abuse.ch yara scanner
so there is a detection against unpacking so I know I’m on the right track
I eventually gave up and removed the network card and tried to run the malware and see what would happened and “bash: ./020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0.elf: cannot execute binary file: Exec format error”
The reason I was having such a hard time is that it’s arch was MIPS R3000 I am currently googling how to emulate MIPS R3000 on x86_64 now and trying to figure out my next step, but I wanted something to show for it.
Malware sample sha256: 020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0 It can be downloaded via malware bizarre https://bazaar.abuse.ch/download/020f1fa6072108c79ed6f553f4f8b08e157bf17f9c260a76353300230fed09f0/