Linux Analysis Report
QpHMHEg6OQ.elf

Overview

General Information

Sample name: QpHMHEg6OQ.elf
renamed because original name is a hash value
Original sample name: 3df59e66242b59fc077970fa0f3c74d82a24c673394969041133f8bee8c70775.elf
Analysis ID: 1428258
MD5: e97eef55eb472d2ade9bc98b43ba2eec
SHA1: 426529f6ce6e495a669d00a542bc4c7ef3722e53
SHA256: 3df59e66242b59fc077970fa0f3c74d82a24c673394969041133f8bee8c70775
Infos:

Detection

Chaos
Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Chaos
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Name Description Attribution Blogpost URLs Link
Chaos Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: QpHMHEg6OQ.elf ReversingLabs: Detection: 47%
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: QpHMHEg6OQ.elf String found in binary or memory: http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qpadding bytes must all be zeros unless AllowIllegalWrites is enabledreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytestls: peer doesn't support the certificate custom signature algorithmsbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xgot %s for stream %d; expected CONTINUATION following %s for stream %dx509: PKCS#8 wrapping contained private key with unknown algorithm: %vx509: certificate relies on legacy Common Name field, use SANs insteadMozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)Sogou Pic Spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)dynamic table size update MUST occur at the beginning of a header blockssh: no common algorithm for %s; client offered: %v, server offered: %vtls: peer doesn't support any of the certificate's signature algorithmstoo many concurrent operations on a single file or socket (max 1048575)x509: issuer has name constraints but leaf doesn't have a SAN extensionMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)tls: server's certificate contains an unsupported type of public key: %Ttls: received unexpected handshake message of type %T when waiting for %T91289437fa036b34da55d57af6192768c27bd433fa012169d626d934e0051b24dd67dd3cf49d7cc827bc012d259d7ac226e70829239d7ac226e7082968de60d520eb433722c07fd236f6crypto/elliptic: internal error: Unmarshal rejected a valid point encodingmalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedtls: certificate RSA key size too small for supported signature algorithmsUnsolicited response received on idle HTTP channel starting with %q; err=%vtls: internal error: attempted to read record with pending application datatls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuite((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}MapIter.Next called on an iterator that does not have an associated map Valuecrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: internal error: algorithmSignerWrapper invoked with non-default algorithmssh: unable to authenticate, attempted methods %v, no supported methods remainx509: signature check attempt
Source: QpHMHEg6OQ.elf String found in binary or memory: http: RoundTripper implementation (%T) returned a nil *Response with a nil errortls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificaterefusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxyx509: a root or intermediate certificate is not authorized to sign for this name: (possibly because of %q while trying to verify candidate authority certificate %q)Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)x509: issuer has name constraints but leaf contains unknown or unconstrained name: tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodx509: failed to parse private key (use ParseECPrivateKey instead for this key format)Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: fxfzUc6gtMGc/i26ld3KydGKy1k7QqyMMyxjbU1Rlk+F9LQxnaTeCHGHsDUpaBeOWDeY6l+2kHlB7EWTLcGwfg==whv+Kf1cEtOXzr+zuvmef2as0WfbUDm8l2LMWBMel10NDnbShg9CsMUt327VJhOTbXLoPYJVTKy8MBPCVwoT8A==x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%qapplication/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromised1920<<RMS>> equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: daisy.ubuntu.com
Source: QpHMHEg6OQ.elf String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)x509:
Source: QpHMHEg6OQ.elf String found in binary or memory: http://search.msn.com/msnbot.htm
Source: QpHMHEg6OQ.elf String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: QpHMHEg6OQ.elf String found in binary or memory: http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
Source: QpHMHEg6OQ.elf String found in binary or memory: http://www.baidu.com/search/spider.html)Mozilla/5.0
Source: QpHMHEg6OQ.elf String found in binary or memory: http://www.baidu.com/search/spider.html)http2:
Source: QpHMHEg6OQ.elf String found in binary or memory: http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
Source: QpHMHEg6OQ.elf String found in binary or memory: http://www.google.com/mobile/adsbot.html)
Source: QpHMHEg6OQ.elf String found in binary or memory: http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
Source: QpHMHEg6OQ.elf String found in binary or memory: http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
Source: QpHMHEg6OQ.elf String found in binary or memory: http://www.youdao.com/help/webmaster/spider/;)reflect:
Source: QpHMHEg6OQ.elf String found in binary or memory: http://yandex.com/bots)http:
Source: QpHMHEg6OQ.elf String found in binary or memory: https://search.yahoo.com/search?p=illegal
Source: QpHMHEg6OQ.elf String found in binary or memory: https://www.baidu.com/s?wd=insufficient
Source: QpHMHEg6OQ.elf String found in binary or memory: https://www.so.com/s?q=index
Source: unknown Network traffic detected: HTTP traffic on port 46540 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal56.troj.linELF@0/2@2/0
Source: ELF file section Submission: QpHMHEg6OQ.elf
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/QpHMHEg6OQ.elf (PID: 5487) Queries kernel information via 'uname': Jump to behavior
Source: QpHMHEg6OQ.elf, 5487.1.00007fffca1b5000.00007fffca1d6000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips64
Source: QpHMHEg6OQ.elf, 5487.1.00007fffca1b5000.00007fffca1d6000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips64/tmp/QpHMHEg6OQ.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/QpHMHEg6OQ.elf
Source: QpHMHEg6OQ.elf, 5487.1.0000560fe4a26000.0000560fe4aac000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/mips641RelativeDistinguishedName
Source: QpHMHEg6OQ.elf, 5487.1.0000560fe4a26000.0000560fe4aac000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips64

Stealing of Sensitive Information
barindex
Yara detected Chaos
Source: Yara match File source: QpHMHEg6OQ.elf, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Chaos
Source: Yara match File source: QpHMHEg6OQ.elf, type: SAMPLE

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true