Linux Analysis Report
310kHPPXaM.elf

Overview

General Information

Sample name: 310kHPPXaM.elf
renamed because original name is a hash value
Original sample name: 582dd71cf097fb9367857d7395d0c970.elf
Analysis ID: 1430958
MD5: 582dd71cf097fb9367857d7395d0c970
SHA1: f03e28ea6d607406d55607730faa48a2f20596b4
SHA256: 1cd133eeeb8b310db027d21beac122f7be4d270b46c552399ebc440b1d7f7475
Tags: 32elfmiraipowerpc
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 310kHPPXaM.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: 310kHPPXaM.elf Virustotal: Detection: 44% Perma Link
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/noneAccept: */*Accept-Encoding: identityHost: motd.ubuntu.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: daisy.ubuntu.com
Source: 310kHPPXaM.elf String found in binary or memory: http://upx.sf.net
Source: unknown Network traffic detected: HTTP traffic on port 54642 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54642
Source: unknown Network traffic detected: HTTP traffic on port 37676 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5425.1.00007f0db800c000.00007f0db8010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5425.1.00007f0db800c000.00007f0db8010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Yara signature match
Source: 5425.1.00007f0db800c000.00007f0db8010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5425.1.00007f0db800c000.00007f0db8010000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: classification engine Classification label: mal68.evad.linELF@0/0@2/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5502) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.TfkEzT1eOv /tmp/tmp.yJ2gDayQpJ /tmp/tmp.Ww0U5vbiaF Jump to behavior
Source: /usr/bin/dash (PID: 5511) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.TfkEzT1eOv /tmp/tmp.yJ2gDayQpJ /tmp/tmp.Ww0U5vbiaF Jump to behavior
ELF contains segments with high entropy indicating compressed/encrypted content
Source: 310kHPPXaM.elf Submission file: segment LOAD with 7.935 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/310kHPPXaM.elf (PID: 5425) Queries kernel information via 'uname': Jump to behavior
Source: 310kHPPXaM.elf, 5425.1.000055d957ba2000.000055d957c52000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: 310kHPPXaM.elf, 5425.1.000055d957ba2000.000055d957c52000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: 310kHPPXaM.elf, 5425.1.00007ffe34f28000.00007ffe34f49000.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc
Source: 310kHPPXaM.elf, 5425.1.00007ffe34f28000.00007ffe34f49000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/310kHPPXaM.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/310kHPPXaM.elf
Source: 310kHPPXaM.elf, 5425.1.00007ffe34f28000.00007ffe34f49000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.217.10.153
 unknown United States
16509 AMAZON-02US false
34.254.182.186
 unknown United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://motd.ubuntu.com/ false
    		high