Loading... Additional Content is being loaded

Linux Analysis Report
iL5Wv8HGIr.elf

Overview

General Information

Sample name:	iL5Wv8HGIr.elf renamed because original name is a hash value
Original sample name:	ad0a11b87b468cbd4d9555d4f845e9256370ff631f7cafc063d6e0a59e98c777.elf
Analysis ID:	1427902
MD5:	68eb04e4cb5b8b7bee600c05dfaaf81c
SHA1:	7323f2f13981031c0d16d3f4e61fed9bb126f304
SHA256:	ad0a11b87b468cbd4d9555d4f845e9256370ff631f7cafc063d6e0a59e98c777
Tags:	elf
Infos:

Errors No process behavior to analyse as no analysis process or sample was found

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: iL5Wv8HGIr.elf

Avira: detected

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: iL5Wv8HGIr.elf	String found in binary or memory: http://inet-ip.info/iphttps://api.ipify.org/idna:
Source: iL5Wv8HGIr.elf	String found in binary or memory: http://ipgrab.io/https://ident.me/if-modified-sinceillegal
Source: iL5Wv8HGIr.elf	String found in binary or memory: http://ipinfo.io/ipif-unmodified-sinceillegal
Source: iL5Wv8HGIr.elf	String found in binary or memory: https://checkip.amazonaws.com/illegal
Source: iL5Wv8HGIr.elf	String found in binary or memory: https://discord.com/api/webhooks/960954050583613549/YAkGomn5eYtrPChuOPz87pIkS7WK2XpB5Y3ozZQXaAho2VCB
Source: iL5Wv8HGIr.elf	String found in binary or memory: https://ip.seeip.org/in

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: classification engine

Classification label: mal48.linELF@0/0@0/0

Source: iL5Wv8HGIr.elf	Binary or memory string: apacheavx512centoscgroupchan<-closedcookiedebiandockerdomainefenceempty errno exec: expectgopherhangupheaderid_rsainternip+netkilledlistenminutendots:netdnsnumberobjectonlineopenvzpasswdpopcntqwertyrdrandrdseedrdtscpremovereturnrune1 secondselectserversocketsocks socks5splicestatusstringstructsweep sysmonsystemtelnettimersubuntuuint16uint32uint64unuseduptimevmwarewaitid{hash} %v=%v, (conn) (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: iL5Wv8HGIr.elf	Binary or memory string: /dev/null/dev/ptmx/dev/pts/0.0.0.0/82001::/322002::/162441406253ffe::/16: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticENCRYPTEDFIN_WAIT1FIN_WAIT2ForbiddenHOST_PROCHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLINUX_2.6MalayalamMongolianNabataeanNot FoundPalmyreneParseUintProc-TypeSSH_FX_OKSamaritanSee OtherSeptemberSundaneseTIME_WAITToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyWednesday[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8attempts:bad indirbad prunebus errorchan sendcomplex64continuedcontrol_dcopystackcpu-totalctxt != 0d.nx != 0debugLockdns,filesempty urlfec0::/10files,dnsfork/execfuncargs(hchanLeafhmac-sha1image/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostlocaltimemSpanDeadmSpanFreenewosprocnil erroromitemptypanicwaitpclmulqdqportfoliopreemptedprotocol publickeyquestionsraspberryrecover: reflect: rwxrwxrwxscavtracesignal 32signal 33signal 34signal 35signal 36signal 37signal 38signal 39signal 40signal 41signal 42signal 43signal 44signal 45signal 46signal 47signal 48signal 49signal 50signal 51signal 52signal 53signal 54signal 55signal 56signal 57signal 58signal 59signal 60signal 61signal 62signal 63signal 64stackpoolsubsystemsucceededtracebackunderflowunhandledvboxguestwbufSpanswebsocket} stack=[ (deleted) MB goal, flushGen for type gfreecnt= pages at ptrSize= returned runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(%s\|%s%s\|%s, bound = , limit = --nicehash.localhost/dev/stdin/etc/hosts/proc/stat/setgroups0.0.0.0:2210.0.0.0/812207031256103515625:authorityAdditionalBad varintCLOSE_WAITChorasmianClassCHAOSClassCSNETConnectionContent-IdDSA-SHA256DeprecatedDevanagariECDSA-SHA1END_STREAMGC forced
Source: iL5Wv8HGIr.elf	Binary or memory string: }\ufffdacceptactiveallowapacheavx512centoscgroupchan<-closedcookiedebiandockerdomainefenceempty errno exec: expectgopherhangupheaderid_rsainternip+netkilledlistenminutendots:netdnsnumberobjectonlineopenvzpasswdpopcntqwertyrdrandrdseedrdtscpremovereturnrune1 secondselectserversocketsocks socks5splicestatusstringstructsweep sysmonsystemtelnettimersubuntuuint16uint32uint64unuseduptimevmwarewaitid{hash} %v=%v, (conn) (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: iL5Wv8HGIr.elf	Binary or memory string: , not a function. Reason was: %v.WithValue(type /etc/resolv.conf/proc/self/fd/%d0123456789ABCDEF0123456789abcdef2384185791015625: value of type Already ReportedContent-EncodingContent-LanguageContent-Length: Environment="ARGFRAME_SIZE_ERRORGC scavenge waitGC worker (idle)GODEBUG: value "Imperial_AramaicInstRuneAnyNotNLMeroitic_CursiveMultiple ChoicesOther_AlphabeticPayment RequiredProxy-ConnectionQEMU Virtual CPURCodeFormatErrorSETTINGS_TIMEOUTSIGNONE: no trapSSH_FXP_EXTENDEDSSH_FXP_FSETSTATSSH_FXP_READLINKSSH_FXP_REALPATHSignatureScheme(Upgrade RequiredUser-Agent: %s

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland		13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom		41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Name	Type	MD5	SHA1	SHA256

AV Detection

Antivirus / Scanner detection for submitted sample

Source: iL5Wv8HGIr.elf

Avira: detected

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: iL5Wv8HGIr.elf	String found in binary or memory: http://inet-ip.info/iphttps://api.ipify.org/idna:
Source: iL5Wv8HGIr.elf	String found in binary or memory: http://ipgrab.io/https://ident.me/if-modified-sinceillegal
Source: iL5Wv8HGIr.elf	String found in binary or memory: http://ipinfo.io/ipif-unmodified-sinceillegal
Source: iL5Wv8HGIr.elf	String found in binary or memory: https://checkip.amazonaws.com/illegal
Source: iL5Wv8HGIr.elf	String found in binary or memory: https://discord.com/api/webhooks/960954050583613549/YAkGomn5eYtrPChuOPz87pIkS7WK2XpB5Y3ozZQXaAho2VCB
Source: iL5Wv8HGIr.elf	String found in binary or memory: https://ip.seeip.org/in

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: classification engine

Classification label: mal48.linELF@0/0@0/0

Source: iL5Wv8HGIr.elf	Binary or memory string: apacheavx512centoscgroupchan<-closedcookiedebiandockerdomainefenceempty errno exec: expectgopherhangupheaderid_rsainternip+netkilledlistenminutendots:netdnsnumberobjectonlineopenvzpasswdpopcntqwertyrdrandrdseedrdtscpremovereturnrune1 secondselectserversocketsocks socks5splicestatusstringstructsweep sysmonsystemtelnettimersubuntuuint16uint32uint64unuseduptimevmwarewaitid{hash} %v=%v, (conn) (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: iL5Wv8HGIr.elf	Binary or memory string: /dev/null/dev/ptmx/dev/pts/0.0.0.0/82001::/322002::/162441406253ffe::/16: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticENCRYPTEDFIN_WAIT1FIN_WAIT2ForbiddenHOST_PROCHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLINUX_2.6MalayalamMongolianNabataeanNot FoundPalmyreneParseUintProc-TypeSSH_FX_OKSamaritanSee OtherSeptemberSundaneseTIME_WAITToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyWednesday[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8attempts:bad indirbad prunebus errorchan sendcomplex64continuedcontrol_dcopystackcpu-totalctxt != 0d.nx != 0debugLockdns,filesempty urlfec0::/10files,dnsfork/execfuncargs(hchanLeafhmac-sha1image/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostlocaltimemSpanDeadmSpanFreenewosprocnil erroromitemptypanicwaitpclmulqdqportfoliopreemptedprotocol publickeyquestionsraspberryrecover: reflect: rwxrwxrwxscavtracesignal 32signal 33signal 34signal 35signal 36signal 37signal 38signal 39signal 40signal 41signal 42signal 43signal 44signal 45signal 46signal 47signal 48signal 49signal 50signal 51signal 52signal 53signal 54signal 55signal 56signal 57signal 58signal 59signal 60signal 61signal 62signal 63signal 64stackpoolsubsystemsucceededtracebackunderflowunhandledvboxguestwbufSpanswebsocket} stack=[ (deleted) MB goal, flushGen for type gfreecnt= pages at ptrSize= returned runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(%s\|%s%s\|%s, bound = , limit = --nicehash.localhost/dev/stdin/etc/hosts/proc/stat/setgroups0.0.0.0:2210.0.0.0/812207031256103515625:authorityAdditionalBad varintCLOSE_WAITChorasmianClassCHAOSClassCSNETConnectionContent-IdDSA-SHA256DeprecatedDevanagariECDSA-SHA1END_STREAMGC forced
Source: iL5Wv8HGIr.elf	Binary or memory string: }\ufffdacceptactiveallowapacheavx512centoscgroupchan<-closedcookiedebiandockerdomainefenceempty errno exec: expectgopherhangupheaderid_rsainternip+netkilledlistenminutendots:netdnsnumberobjectonlineopenvzpasswdpopcntqwertyrdrandrdseedrdtscpremovereturnrune1 secondselectserversocketsocks socks5splicestatusstringstructsweep sysmonsystemtelnettimersubuntuuint16uint32uint64unuseduptimevmwarewaitid{hash} %v=%v, (conn) (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: iL5Wv8HGIr.elf	Binary or memory string: , not a function. Reason was: %v.WithValue(type /etc/resolv.conf/proc/self/fd/%d0123456789ABCDEF0123456789abcdef2384185791015625: value of type Already ReportedContent-EncodingContent-LanguageContent-Length: Environment="ARGFRAME_SIZE_ERRORGC scavenge waitGC worker (idle)GODEBUG: value "Imperial_AramaicInstRuneAnyNotNLMeroitic_CursiveMultiple ChoicesOther_AlphabeticPayment RequiredProxy-ConnectionQEMU Virtual CPURCodeFormatErrorSETTINGS_TIMEOUTSIGNONE: no trapSSH_FXP_EXTENDEDSSH_FXP_FSETSTATSSH_FXP_READLINKSSH_FXP_REALPATHSignatureScheme(Upgrade RequiredUser-Agent: %s