Linux Analysis Report
3OcPSlVa7n.elf

Overview

General Information

Sample name:	3OcPSlVa7n.elf renamed because original name is a hash value
Original sample name:	e20f475a8bc540686441721b41ea76bf.elf
Analysis ID:	1427799
MD5:	e20f475a8bc540686441721b41ea76bf
SHA1:	aab91ad8a8d9ab14828ab4a598198facc21bba66
SHA256:	5268b17dfef328c417542412ed99057ec65aae68c02b8934a46c1ea95cbd140c
Tags:	32elfmirairenesas
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Detected Mirai

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mirai

Uses known network protocols on non-standard ports

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 3OcPSlVa7n.elf	ReversingLabs: Detection: 55%
Source: 3OcPSlVa7n.elf	Virustotal: Detection: 56%			Perma Link

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:39932 -> 120.193.217.226:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:42004 -> 120.193.217.226:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:40516 -> 125.168.207.100:23
Source: Traffic	Snort IDS: 2023439 ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) 192.168.2.13:49684 -> 200.54.251.113:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:36470 -> 149.210.61.204:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:41072 -> 125.168.207.100:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:55874 -> 123.25.238.188:23
Source: Traffic	Snort IDS: 2023452 ET TROJAN Possible Linux.Mirai Login Attempt (Zte521) 192.168.2.13:50054 -> 200.54.251.113:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:55002 -> 41.63.244.11:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:57630 -> 125.66.29.3:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:51560 -> 83.170.207.226:23
Source: Traffic	Snort IDS: 2023333 ET TROJAN Linux.Mirai Login Attempt (xc3511) 192.168.2.13:51524 -> 200.54.251.113:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:51524 -> 200.54.251.113:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:58354 -> 125.66.29.3:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:54514 -> 111.221.176.81:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:47254 -> 195.226.224.177:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.13:46372 -> 186.130.107.251:23

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 23 -> 51876

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.13:38458 -> 91.92.250.136:11025

Sample listens on a socket

Source: /tmp/3OcPSlVa7n.elf (PID: 5452)

Socket: 0.0.0.0::23

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 133.190.215.89
Source: unknown	TCP traffic detected without corresponding DNS query: 180.136.44.135
Source: unknown	TCP traffic detected without corresponding DNS query: 38.201.48.89
Source: unknown	TCP traffic detected without corresponding DNS query: 196.251.166.59
Source: unknown	TCP traffic detected without corresponding DNS query: 202.11.229.128
Source: unknown	TCP traffic detected without corresponding DNS query: 216.216.242.138
Source: unknown	TCP traffic detected without corresponding DNS query: 117.50.184.208
Source: unknown	TCP traffic detected without corresponding DNS query: 75.85.212.186
Source: unknown	TCP traffic detected without corresponding DNS query: 156.223.32.215
Source: unknown	TCP traffic detected without corresponding DNS query: 173.238.250.19
Source: unknown	TCP traffic detected without corresponding DNS query: 96.161.98.30
Source: unknown	TCP traffic detected without corresponding DNS query: 71.62.180.89
Source: unknown	TCP traffic detected without corresponding DNS query: 32.123.11.231
Source: unknown	TCP traffic detected without corresponding DNS query: 126.63.62.169
Source: unknown	TCP traffic detected without corresponding DNS query: 150.151.122.53
Source: unknown	TCP traffic detected without corresponding DNS query: 41.87.116.23
Source: unknown	TCP traffic detected without corresponding DNS query: 143.85.239.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.217.199.100
Source: unknown	TCP traffic detected without corresponding DNS query: 20.182.60.23
Source: unknown	TCP traffic detected without corresponding DNS query: 188.163.237.212
Source: unknown	TCP traffic detected without corresponding DNS query: 88.40.9.8
Source: unknown	TCP traffic detected without corresponding DNS query: 153.126.133.252
Source: unknown	TCP traffic detected without corresponding DNS query: 94.157.184.210
Source: unknown	TCP traffic detected without corresponding DNS query: 153.60.213.35
Source: unknown	TCP traffic detected without corresponding DNS query: 123.135.188.171
Source: unknown	TCP traffic detected without corresponding DNS query: 141.119.227.240
Source: unknown	TCP traffic detected without corresponding DNS query: 103.92.72.164
Source: unknown	TCP traffic detected without corresponding DNS query: 196.62.173.44
Source: unknown	TCP traffic detected without corresponding DNS query: 12.108.6.164
Source: unknown	TCP traffic detected without corresponding DNS query: 119.226.70.37
Source: unknown	TCP traffic detected without corresponding DNS query: 82.68.120.108
Source: unknown	TCP traffic detected without corresponding DNS query: 1.154.119.112
Source: unknown	TCP traffic detected without corresponding DNS query: 44.112.217.199
Source: unknown	TCP traffic detected without corresponding DNS query: 223.107.175.237
Source: unknown	TCP traffic detected without corresponding DNS query: 132.223.109.91
Source: unknown	TCP traffic detected without corresponding DNS query: 86.232.88.228
Source: unknown	TCP traffic detected without corresponding DNS query: 202.153.86.255
Source: unknown	TCP traffic detected without corresponding DNS query: 161.158.56.230
Source: unknown	TCP traffic detected without corresponding DNS query: 213.14.196.77
Source: unknown	TCP traffic detected without corresponding DNS query: 164.204.180.153
Source: unknown	TCP traffic detected without corresponding DNS query: 194.35.17.21
Source: unknown	TCP traffic detected without corresponding DNS query: 129.142.137.168
Source: unknown	TCP traffic detected without corresponding DNS query: 72.58.233.230
Source: unknown	TCP traffic detected without corresponding DNS query: 115.73.197.115
Source: unknown	TCP traffic detected without corresponding DNS query: 93.145.206.118
Source: unknown	TCP traffic detected without corresponding DNS query: 220.128.100.84
Source: unknown	TCP traffic detected without corresponding DNS query: 100.160.184.86
Source: unknown	TCP traffic detected without corresponding DNS query: 60.214.253.132
Source: unknown	TCP traffic detected without corresponding DNS query: 61.199.67.255
Source: unknown	TCP traffic detected without corresponding DNS query: 144.198.91.76

Source: unknown

DNS traffic detected: queries for: daisy.ubuntu.com

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal76.troj.linELF@0/0@2/0

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 23 -> 51876

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/3OcPSlVa7n.elf (PID: 5445)

Queries kernel information via 'uname':

Jump to behavior

Source: 3OcPSlVa7n.elf, 5445.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5448.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5452.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5460.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5454.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: 3OcPSlVa7n.elf, 5445.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5448.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5452.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5460.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5454.1.0000556f2723c000.0000556f2729f000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: 3OcPSlVa7n.elf, 5445.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5448.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5452.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5460.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp, 3OcPSlVa7n.elf, 5454.1.00007ffc80b86000.00007ffc80ba7000.rw-.sdmp	Binary or memory string: Vx86_64/usr/bin/qemu-sh4/tmp/3OcPSlVa7n.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/3OcPSlVa7n.elf
Source: 3OcPSlVa7n.elf, 5445.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5448.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5452.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5460.1.0000556f2723c000.0000556f2729f000.rw-.sdmp, 3OcPSlVa7n.elf, 5454.1.0000556f2723c000.0000556f2729f000.rw-.sdmp	Binary or memory string: #'oU5!/etc/qemu-binfmt/sh4

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Detected Mirai

Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (hi3518)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (Zte521)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (hi3518)
Source: Traffic	Snort IDS: ET TROJAN Possible Linux.Mirai Login Attempt (Zte521)
Source: Traffic	Snort IDS: ET TROJAN Linux.Mirai Login Attempt (xc3511)

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.60.242.99	unknown	Poland	8374	PLUSNETPlusnetworkoperatorinPolandPL	false
37.191.85.212	unknown	Iran (ISLAMIC Republic Of)	48309	AGS-ASIR	false
207.231.93.24	unknown	United States	14051	SUREWESTUS	false
44.69.191.75	unknown	United States	7377	UCSDUS	false
85.202.224.208	unknown	Russian Federation	44622	MTK-MOSINTER-ASRU	false
117.109.248.93	unknown	Japan	18081	KCNKintetsuCableNetworkCoLtdJP	false
102.107.163.156	unknown	Tunisia	37693	TUNISIANATN	false
82.33.237.127	unknown	United Kingdom	5089	NTLGB	false
181.163.72.24	unknown	Chile	7418	TELEFONICACHILESACL	false
79.52.33.179	unknown	Italy	3269	ASN-IBSNAZIT	false
181.161.187.19	unknown	Chile	7418	TELEFONICACHILESACL	false
97.181.17.123	unknown	United States	6167	CELLCO-PARTUS	false
139.3.199.119	unknown	Germany	15486	MATERNA-ASDE	false
218.147.193.134	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
198.174.192.227	unknown	United States	5006	VOYANTUS	false
159.168.66.121	unknown	Switzerland	28686	AVECTRIS-ASCH	false
112.3.176.175	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
157.196.171.4	unknown	United States	4704	SANNETRakutenMobileIncJP	false
174.180.94.199	unknown	United States	7922	COMCAST-7922US	false
201.138.200.131	unknown	Mexico	8151	UninetSAdeCVMX	false
166.173.75.112	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
115.173.64.212	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
126.180.202.111	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
74.75.40.196	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
150.119.43.129	unknown	United States	4152	USDA-1US	false
157.21.237.50	unknown	United States	53446	EVMSUS	false
101.152.226.18	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
161.78.204.214	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
63.88.124.128	unknown	United States	701	UUNETUS	false
183.132.208.28	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
108.173.19.134	unknown	Canada	852	ASN852CA	false
90.157.160.253	unknown	Slovenia	21283	A1SI-ASA1SlovenijaSI	false
94.2.207.54	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
99.245.1.152	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
183.188.162.163	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
210.53.233.207	unknown	China	9929	CUIICHINAUNICOMIndustrialInternetBackboneCN	false
193.203.62.5	unknown	Russian Federation	41268	LANTA-ASRU	false
107.254.209.192	unknown	United States	7018	ATT-INTERNET4US	false
84.178.119.72	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
192.150.30.210	unknown	United States	1848	AS1848US	false
173.204.251.230	unknown	United States	26228	SERVEPATHUS	false
69.200.78.23	unknown	United States	12271	TWC-12271-NYCUS	false
53.189.202.226	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
91.19.165.36	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
88.107.191.107	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	false
189.22.25.237	unknown	Brazil	4230	CLAROSABR	false
178.86.67.165	unknown	Saudi Arabia	39891	ALJAWWALSTC-ASSA	false
53.121.223.195	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
17.155.79.242	unknown	United States	714	APPLE-ENGINEERINGUS	false
69.249.73.1	unknown	United States	7922	COMCAST-7922US	false
145.175.18.57	unknown	Netherlands	59524	KPN-IAASNL	false
97.197.178.6	unknown	United States	6167	CELLCO-PARTUS	false
116.167.196.150	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
126.77.190.141	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
171.129.35.109	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
93.139.200.224	unknown	Croatia (LOCAL Name: Hrvatska)	5391	T-HTCroatianTelecomIncHR	false
31.2.120.86	unknown	Poland	21243	PLUSNETPlusGSMtransitcorenetworkPL	false
126.213.169.41	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
31.251.56.46	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
114.44.110.86	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
199.45.250.122	unknown	United States	16618	FUC-AS-16618US	false
118.5.62.151	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
125.59.216.44	unknown	Hong Kong	9908	HKCABLE2-HK-APHKCableTVLtdHK	false
165.75.217.146	unknown	United States	63474	SIRIUS-DATACENTERSUS	false
17.188.215.119	unknown	United States	714	APPLE-ENGINEERINGUS	false
176.72.93.206	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
212.209.129.255	unknown	Sweden	702	UUNETUS	false
103.216.152.53	unknown	China	137697	CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZ	false
118.116.202.197	unknown	China	139220	CHINANET-SICHUAN-CHUANXI-IDCSichuanChuanxnIDCCN	false
34.143.235.251	unknown	United States	2686	ATGS-MMD-ASUS	false
100.235.142.46	unknown	United States	21928	T-MOBILE-AS21928US	false
117.189.32.206	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
14.159.202.184	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
121.41.202.254	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
177.135.192.207	unknown	Brazil	18881	TELEFONICABRASILSABR	false
114.171.18.148	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
125.246.235.17	unknown	Korea Republic of	38411	GOEYI-AS-KRYonginofficeofeducationKR	false
113.60.171.110	unknown	Korea Republic of	17849	GINAMHANVIT-AS-KRTbroadGinamBroadcatingCoLtdKR	false
104.102.70.199	unknown	United States	16625	AKAMAI-ASUS	false
96.195.125.52	unknown	United States	7922	COMCAST-7922US	false
97.73.172.170	unknown	United States	6621	HNS-DIRECPCUS	false
89.174.119.67	unknown	Poland	206957	INTERSATPL	false
134.221.96.55	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
40.167.148.124	unknown	United States	4249	LILLY-ASUS	false
82.222.204.104	unknown	Turkey	34984	TELLCOM-ASTR	false
85.30.182.116	unknown	Sweden	34244	TELESERVICESE	false
136.206.110.58	unknown	Ireland	1213	HEANETIE	false
27.21.210.158	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
176.249.109.109	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
42.222.34.237	unknown	China	4249	LILLY-ASUS	false
147.158.158.181	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
31.106.207.254	unknown	United Kingdom	12576	EELtdGB	false
40.150.230.248	unknown	United States	4249	LILLY-ASUS	false
87.71.122.189	unknown	Israel	9116	GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	false
37.102.96.150	unknown	Italy	9158	TELENOR_DANMARK_ASDK	false
71.88.212.65	unknown	United States	20115	CHARTER-20115US	false
175.57.255.127	unknown	China	134810	CMNET-JILIN-AS-APChinaMobileGroupJiLincommunicationsco	false
64.153.210.23	unknown	United States	3356	LEVEL3US	false
168.119.31.114	unknown	Germany	24940	HETZNER-ASDE	false
185.72.145.96	unknown	Russian Federation	201499	FULLSPACE-ASRU	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.25	true

ID:	1427799
Product:	CloudBasic
Start time:	07:51:06
Start date:	18.04.2024
Sample:	3OcPSlVa7n.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	e20f475a8bc540686441721b41ea76bf
SHA1:	aab91ad8a8d9ab14828ab4a598198facc21bba66
SHA256:	5268b17dfef328c417542412ed99057ec65aae68c02b8934a46c1ea95cbd140c
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
3OcPSlVa7n.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report 3OcPSlVa7n.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
3OcPSlVa7n.elf

Malware Threat Intel
Provided by