Linux Analysis Report
hmDumpR4Ys.elf

Overview

General Information

Sample name: hmDumpR4Ys.elf
renamed because original name is a hash value
Original sample name: 301cc407abd6736140ae0df3c53aec64.elf
Analysis ID: 1427713
MD5: 301cc407abd6736140ae0df3c53aec64
SHA1: e611be05f66ae77beb53328e98217f89af449096
SHA256: e3aab908800cb4601bc4a87ac9ac48d816ced57cdb409b6e2468956cc50bdf04
Tags: 64elf
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Drops invisible ELF files
Performs DNS queries to domains with low reputation
Sample is packed with UPX
Creates hidden files and/or directories
ELF contains segments with high entropy indicating compressed/encrypted content
Reads the 'hosts' file potentially containing internal network hosts
Sample and/or dropped files contains symbols with suspicious names
Sample contains only a LOAD segment without any section mappings
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: hmDumpR4Ys.elf ReversingLabs: Detection: 21%

Networking
barindex
Performs DNS queries to domains with low reputation
Source: DNS query: www.megtech.xyz
Reads the 'hosts' file potentially containing internal network hosts
Source: /tmp/hmDumpR4Ys.elf (PID: 5436) Reads hosts file: /etc/hosts Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: www.megtech.xyz
Source: hmDumpR4Ys.elf String found in binary or memory: http://upx.sf.net
Source: hmDumpR4Ys.elf, 5436.1.0000000000400000.000000000078d000.r-x.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: hmDumpR4Ys.elf, 5436.1.0000000000400000.000000000078d000.r-x.sdmp String found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: .sys.rrcache.data.13.dr String found in binary or memory: https://www.megtech.xyz/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 42220
Source: unknown Network traffic detected: HTTP traffic on port 42218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 42218
Source: unknown Network traffic detected: HTTP traffic on port 42220 -> 443
Sample and/or dropped files contains symbols with suspicious names
Source: .sys.rrcache.data.13.dr ELF static info symbol of dropped file: find_payload
Source: .sys.rrcache.data.13.dr ELF static info symbol of dropped file: find_payload
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Source: classification engine Classification label: mal60.troj.evad.linELF@0/1@3/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Creates hidden files and/or directories
Source: /tmp/hmDumpR4Ys.elf (PID: 5437) File: /tmp/.sys.rrcache.data Jump to behavior
Source: /tmp/hmDumpR4Ys.elf (PID: 5437) Directory: /tmp/.sys.rrcache.data Jump to behavior
Sample tries to set the executable flag
Source: /tmp/hmDumpR4Ys.elf (PID: 5437) File: /tmp/.sys.rrcache.data (bits: - usr: rwx grp: rwx all: rwx) Jump to behavior
Writes ELF files to disk
Source: /tmp/hmDumpR4Ys.elf (PID: 5437) File written: /tmp/.sys.rrcache.data Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Drops invisible ELF files
Source: /tmp/hmDumpR4Ys.elf (PID: 5437) ELF file: /tmp/.sys.rrcache.data Jump to dropped file
ELF contains segments with high entropy indicating compressed/encrypted content
Source: hmDumpR4Ys.elf Submission file: segment LOAD with 7.9135 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/hmDumpR4Ys.elf (PID: 5436) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/hmDumpR4Ys.elf (PID: 5437) Queries kernel information via 'uname': Jump to behavior
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
15.197.130.221
 www.megtech.xyz United States
7430 TANDEMUS true

Contacted Domains

Name IP Active
www.megtech.xyz 15.197.130.221 true
daisy.ubuntu.com 162.213.35.24 true