Linux Analysis Report
mJ4CsuZhyr.elf

ID:	1430428
Product:	CloudBasic
Start time:	16:46:09
Start date:	23.04.2024
Sample:	mJ4CsuZhyr.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	1d2f0ac632691ad9306d80d4ca255a68
SHA1:	e2d4891dcb940486b836134c2db0ecad2b5cd234
SHA256:	a93baabdfac2c9c92059075ff04c0d74da65c6f00b84f5e880792ecf9b71aac8
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/tmp/qemu-open.eDFJ3P (deleted)	data	A79AC2964EB1BF9F71DC97CD9BE75270	804A6D302B25257B0F044114B9FC774AAE0BE7C3	73B9C070752439F1A6787BAD2E137DDA6C845EAE9E54BD9FC80ABC4FD5C9EE4A

AV Detection

Source: mJ4CsuZhyr.elf

Avira: detected

Source: mJ4CsuZhyr.elf

ReversingLabs: Detection: 47%

Spreading

Source: mJ4CsuZhyr.elf

String: EOF/proc//proc/%s/cmdlinewgetcurlftpechokillbashrebootshutdownhaltpoweroff[locker] killed process: %s ;; pid: %d

Networking

Source: unknown	DNS traffic detected: query: cnc.voidnet.click.'f!p66a/PV!E(*:5we))'fpNNPV!a/E@7
Source: unknown	DNS traffic detected: query: cnc.voidnet.click.'f66a/PV!E(:+5sp-)'f}NNPV!a/E@7
Source: unknown	DNS traffic detected: query: cnc.voidnet.click.'fm66a/PV!E(G7j6I5o)'f"nNNPV!a/E@7
Source: unknown	DNS traffic detected: query: cnc.voidnet.click.'f66a/PV!E(9O5?)'fZNNPV!a/E@8.@@/.5,.cncvoidnetclickn'f
Source: unknown	DNS traffic detected: query: cnc.voidnet.click.'f66a/PV!E($:}5)'fJJPV!a/E<.@@(^OM^%K|+'f,JJa/PV!E<@6^OM^.,%n9|+'f=-BBPV!a/E4m@@(^OM^%`,

Source: global traffic

TCP traffic: 192.168.2.13:51550 -> 94.156.79.77:33966

Source: unknown

DNS traffic detected: queries for: cnc.voidnet.click

System Summary

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_gre.c
Source: ELF static info symbol of initial sample	Name: attack_gre_eth
Source: ELF static info symbol of initial sample	Name: attack_gre_ip
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_parse
Source: ELF static info symbol of initial sample	Name: attack_start
Source: ELF static info symbol of initial sample	Name: attack_std

Source: mJ4CsuZhyr.elf

ELF static info symbol of initial sample: __gnu_unwind_execute

Source: classification engine

Classification label: mal76.troj.evad.linELF@0/1@6/0

Persistence and Installation Behavior

Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/11/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/11/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/11/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/11/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/11/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/22/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/22/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/22/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/22/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/22/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/55/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/55/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/66/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/88/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/88/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/88/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/88/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/99/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/99/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/99/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/99/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/33/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/33/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/111/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/222/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/222/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/222/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/222/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/333/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/333/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/777/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/777/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/888/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/888/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/11111/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/11111/stat			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/999/cmdline			Jump to behavior
Source: /tmp/mJ4CsuZhyr.elf (PID: 5435)	File opened: /proc/999/stat			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: /tmp/mJ4CsuZhyr.elf (PID: 5433)

File: /tmp/mJ4CsuZhyr.elf

Jump to behavior

Malware Analysis System Evasion

Source: /tmp/mJ4CsuZhyr.elf (PID: 5431)

Queries kernel information via 'uname':

Jump to behavior

Source: mJ4CsuZhyr.elf, 5431.1.00007ffe3904e000.00007ffe3906f000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.eDFJ3P
Source: mJ4CsuZhyr.elf, 5431.1.00007ffe3904e000.00007ffe3906f000.rw-.sdmp	Binary or memory string: V/tmp/qemu-open.eDFJ3P:uW
Source: mJ4CsuZhyr.elf, 5431.1.0000561ccd5e3000.0000561ccd734000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: mJ4CsuZhyr.elf, 5431.1.00007ffe3904e000.00007ffe3906f000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: mJ4CsuZhyr.elf, 5431.1.0000561ccd5e3000.0000561ccd734000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: mJ4CsuZhyr.elf, 5431.1.00007ffe3904e000.00007ffe3906f000.rw-.sdmp	Binary or memory string: 5x86_64/usr/bin/qemu-arm/tmp/mJ4CsuZhyr.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mJ4CsuZhyr.elf

Stealing of Sensitive Information

Source: Yara match

File source: mJ4CsuZhyr.elf, type: SAMPLE

Remote Access Functionality

Source: Yara match

File source: mJ4CsuZhyr.elf, type: SAMPLE