Linux Analysis Report
l1uxT537eS.elf

Overview

General Information

Sample name: l1uxT537eS.elf
renamed because original name is a hash value
Original sample name: d3ac8d7674cea0bce640b258d273dca9.elf
Analysis ID: 1428639
MD5: d3ac8d7674cea0bce640b258d273dca9
SHA1: e9aadb5c87d35bacd9aacbe7499673d26e17b51d
SHA256: 5d9619184be27be1bd1d4816abbe5f3625fce052c3c283bee581e8e683f633f1
Tags: 32armelfmirai
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: l1uxT537eS.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: l1uxT537eS.elf Virustotal: Detection: 43% Perma Link
Source: l1uxT537eS.elf ReversingLabs: Detection: 68%
Found strings indicative of a multi-platform dropper
Source: l1uxT537eS.elf String: nh con../dvr_gui./upnp_server./dvr_app./pkillkillallwgetbusyboxtopcurlrebootpsftptftppgrepgrepxargsawkTT
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: l1uxT537eS.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6225.1.00007f32b4017000.00007f32b4037000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: l1uxT537eS.elf PID: 6225, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: nh con../dvr_gui./upnp_server./dvr_app./pkillkillallwgetbusyboxtopcurlrebootpsftptftppgrepgrepxargsawkTT
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: l1uxT537eS.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6225.1.00007f32b4017000.00007f32b4037000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: l1uxT537eS.elf PID: 6225, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engine Classification label: mal64.linELF@0/0@0/0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/l1uxT537eS.elf (PID: 6225) Queries kernel information via 'uname': Jump to behavior
Source: l1uxT537eS.elf, 6225.1.0000555be4796000.0000555be48c4000.rw-.sdmp Binary or memory string: [U!/etc/qemu-binfmt/arm
Source: l1uxT537eS.elf, 6225.1.00007ffe666af000.00007ffe666d0000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/l1uxT537eS.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/l1uxT537eS.elf
Source: l1uxT537eS.elf, 6225.1.0000555be4796000.0000555be48c4000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: l1uxT537eS.elf, 6225.1.00007ffe666af000.00007ffe666d0000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: l1uxT537eS.elf, 6225.1.00007ffe666af000.00007ffe666d0000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false