Linux Analysis Report
If1BjZdkZh.elf

Overview

General Information

Sample name: If1BjZdkZh.elf
renamed because original name is a hash value
Original sample name: 985188e6bc0bf7c11d97deaeab65444a.elf
Analysis ID: 1417441
MD5: 985188e6bc0bf7c11d97deaeab65444a
SHA1: d75c924bd7597fc35a2e09a8f70345112ceaa78c
SHA256: 6eb86c672a98e4148f968de247d345ca5c5739033159f191480208c4d0d51272
Tags: 32elfmiraimotorola
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Reads CPU information from /proc indicative of miner or evasive malware
Reads system information from the proc file system
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: If1BjZdkZh.elf ReversingLabs: Detection: 42%
Source: If1BjZdkZh.elf Virustotal: Detection: 42% Perma Link
Reads CPU information from /proc indicative of miner or evasive malware
Source: /tmp/If1BjZdkZh.elf (PID: 5467) Reads CPU info from proc file: /proc/cpuinfo Jump to behavior

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.196.8.213 ports 59432,6,7,8,9,6789
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:57442 -> 185.196.8.213:6789
Sample listens on a socket
Source: /tmp/If1BjZdkZh.elf (PID: 5464) Socket: 127.0.0.1::46157 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown TCP traffic detected without corresponding DNS query: 217.32.184.17
Source: unknown DNS traffic detected: queries for: jhbaghjbasdg.shop
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal52.troj.linELF@0/0@1/0
Reads system information from the proc file system
Source: /tmp/If1BjZdkZh.elf (PID: 5467) Reads from proc file: /proc/cpuinfo Jump to behavior
Reads CPU information from /proc indicative of miner or evasive malware
Source: /tmp/If1BjZdkZh.elf (PID: 5467) Reads CPU info from proc file: /proc/cpuinfo Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/If1BjZdkZh.elf (PID: 5464) Queries kernel information via 'uname': Jump to behavior
Source: If1BjZdkZh.elf, 5464.1.000055ddbbdaa000.000055ddbbe2f000.rw-.sdmp, If1BjZdkZh.elf, 5469.1.000055ddbbdaa000.000055ddbbe0e000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: If1BjZdkZh.elf, 5464.1.00007ffd39399000.00007ffd393ba000.rw-.sdmp, If1BjZdkZh.elf, 5469.1.00007ffd39399000.00007ffd393ba000.rw-.sdmp Binary or memory string: /usr/bin/qemu-m68k
Source: If1BjZdkZh.elf, 5464.1.000055ddbbdaa000.000055ddbbe2f000.rw-.sdmp, If1BjZdkZh.elf, 5469.1.000055ddbbdaa000.000055ddbbe0e000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/m68k
Source: If1BjZdkZh.elf, 5464.1.00007ffd39399000.00007ffd393ba000.rw-.sdmp, If1BjZdkZh.elf, 5469.1.00007ffd39399000.00007ffd393ba000.rw-.sdmp Binary or memory string: -EUx86_64/usr/bin/qemu-m68k/tmp/If1BjZdkZh.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/If1BjZdkZh.elf

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.32.184.17
 unknown United Kingdom
6871 PLUSNETUKInternetServiceProviderGB false
185.196.8.213
 jhbaghjbasdg.shop Switzerland
34888 SIMPLECARRER2IT true

Contacted Domains

Name IP Active
jhbaghjbasdg.shop 185.196.8.213 true