Linux Analysis Report
kaq4CUrP8v.elf

Overview

General Information

Sample name: kaq4CUrP8v.elf
renamed because original name is a hash value
Original sample name: 99e965ba249f75003c25403014017cd2.elf
Analysis ID: 1430970
MD5: 99e965ba249f75003c25403014017cd2
SHA1: f286beb29e8eeb29ac8b55e8e283b300d56b39ea
SHA256: ef72171c7a5fe2769ae66b2e623d7b47692199a516653d157008e9854d7f38d2
Tags: 32elfmirairenesas
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Queries the IP of a very long domain name
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Connects to many different domains
Detected TCP or UDP traffic on non-standard ports
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: kaq4CUrP8v.elf Virustotal: Detection: 14% Perma Link
Source: kaq4CUrP8v.elf ReversingLabs: Detection: 28%
Found strings indicative of a multi-platform dropper
Source: kaq4CUrP8v.elf String: EApts/ttysocket:[/proc/net/tcp /proc/%d/exepkillkillkillallechoclearwgetcurlping/pswiresharktcpdumppythonpython3busyboxiptablesrebootinitinit 6nanonvimvimcpmvcdlscatstringstophtopgrepshbashgdb/mapsmkdirHTTPapt./;rungetshutdown&reboot -fshutdown -rrmftpgettftpncforps

Networking
barindex
Queries the IP of a very long domain name
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.=(fc66a0PV!E((/45+=(fYdNNPV!a0E@d@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.=(fS66a0PV!E((/J45}%+=(f[NNPV!a0E@d@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.=(fs66a0PV!E((/i35T+=(fNNPV!a0E@d@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.=(f<F66a0PV!E((/n359+=(fFNNPV!a0E@d@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.=(fS66a0PV!E((/35X+=(fJJPV!a0E<h@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.@(f:66a0PV!EH(p5N)@(f;NNPV!a0E@z@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.@(f66a0PV!EH(p'5G<@(fNNPV!a0E@@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.@(fk66a0PV!EH(btT5a#r@(flNNPV!a0E@@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.@(f066a0PV!EH(q56@(f#NNPV!a0E@@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.A(fZ66a0PV!EH(:t925iDA(fn\JJPV!a0E<@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.H(fnNNPV!a0E@@@/^r5,QkzadolfhitlersusM(f<NN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.M(f<NNPV!a0E@O@@^r5,QkzadolfhitlersusR(fNN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.R(fNNPV!a0E@@@^r|5,QkzadolfhitlersusW(f&NN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.W(f&NNPV!a0E@@@^r5,Qkzadolfhitlersus\(fJJ
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.\(fJJPV!a0E<cZ@@VF[k](fp5JJPV.a0E<c[@@UF
Source: unknown DNS traffic detected: query: siegheil.hiter.su.`(f66a0PV!E((Pv35`(f#NNPV!a0E@@@.S$5,.siegheilhitersus`(f->66a0PV!E((P35$
Source: unknown DNS traffic detected: query: siegheil.hiter.su.`(f->66a0PV!E((P35$;`(fw?NNPV!a0E@@@.P5,^siegheilhitersus`(f66a0PV!E((P35.`(fONNPV!a0E@@@m75,siegheilhitersus`(f66
Source: unknown DNS traffic detected: query: siegheil.hiter.su.`(f66a0PV!E((P35y`(fONNPV!a0E@@@.75,siegheilhitersus`(f66a0PV!E((P4p5.G`(fMNNPV!a0E@@@m/&5,siegheilhiter.us`(f"66a0PV!E((P3X5&f9`(f$JJPV!a0E<@.xF1sX|@a(fJJ
Source: unknown DNS traffic detected: query: siegheil.hiter.su.`(f66a0PV!E((P4p5cG`(fMNNPV!a0E@@@./&5,siegheilhitersus`(f"66a0PV!E((P3X5&.9`(f$JJPV!a0E<@@xF1sX|@.a(f
Source: unknown DNS traffic detected: query: siegheil.hiter.su.`(f"66a0PV!E((P3X5&f9`(f$JJPV!a0E<@@.F1sX|@a(fJJPV!a0E<@@xF1sT..H
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(fVVa0PV!EHH/|$W5{4sexsecure-cyber-securitys(f.VPV!a0EHS@@ $W"54p&sexsecure-cyber-securit.s(fnVVa0PV!EHH/2$W5"4$sexsecure-cyber-securitys(fpoVV
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(fnVVa0PV!EHH/2$W5"4$sexsecure-cyber-securitys(fpo.VPV!a0EHo@@$W54 sexsecure-cyber-securit.s(frVVa0PV!EHH/$W54sexsecure-cyber-securitys(foVV
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(frVVa0PV!EHH/$W54sexsecure-cyber-securitys(fo.VPV!a0EH@@$W%54)#sexsecure-cyber-securit.s(fVVa0PV!EHH!/$W5%4!sexsecure-cyber-securitys(fVV
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(fVVa0PV!EHH!/$W5%4!sexsecure-cyber-securitys(f.VPV!a0EH@@$W54Vsexsecure-cyber-securit.s(f'VVa0PV!EHH1/$W54sexsecure-cyber-securitys(f(JJ
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.(f'VVa0PV!EHH1/$W54sexsecure-cyber-securitys(f(.JPV!a0E<F@@Fi3Y6<$
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fw66a0PV!EH(]8.Q5-(f\NNPV!a0E@@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f066a0PV!E((]E&Q5>2-(fNNPV!a0E@C@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fM66a0PV!EH(]k.Q5-(fONNPV!a0E@u@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f(66a0PV!E((]&Q5-(f)NNPV!a0E@@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f{66a0PV!EH(].Q5-(f`JJPV!a0E<[@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f`NNa0PV!EH@2/$W5,Ckzadolfhitlersus(fANN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f2NNa0PV!EH@S/$W5I,Ckzadolfhitlersus(f;3NN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fNNa0PV!EH@v/$W5~,eCkzadolfhitlersus(fNN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(f&CNNa0PV!EH@/$W5z,iCkzadolfhitlersus(fODNN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.(fNNa0PV!EH@/E$W5,$Ckzadolfhitlersus(fZJJ
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(fAJ66a0PV!EH(q5i.(fKNNPV!a0E@z@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(f66a0PV!EH(.pH5.(fNNPV!a0E@@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(fw66a0PV!EH(Uq!5*.(fyNNPV!a0E@@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(f66a0PV!EH(q5).(f0NNPV!a0E@@@
Source: unknown DNS traffic detected: query: siegheil.hiter.su.(fG66a0PV!EH(>px5.(f)JJPV!a0E<Q@@._FEZ3(f`66
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 43
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:54446 -> 212.70.149.14:35342
Source: global traffic TCP traffic: 192.168.2.14:37486 -> 212.70.149.10:35342
Sample listens on a socket
Source: /tmp/kaq4CUrP8v.elf (PID: 5487) Socket: 127.0.0.1::8345 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown DNS traffic detected: queries for: sex.secure-cyber-security

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1 (init), result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 661, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 725, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 726, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 767, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 769, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 782, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 791, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 797, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 801, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 940, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1289, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1299, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1300, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1309, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 2955, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 2956, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 2991, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 3094, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 3147, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 3157, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 3838, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5331, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5474, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5475, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5493, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5494, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5496, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5499, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5520, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5533, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5538, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5541, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5542, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5547, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5548, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5549, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5550, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5551, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5552, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5553, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5554, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5555, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5556, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5557, result: successful Jump to behavior
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: EApts/ttysocket:[/proc/net/tcp /proc/%d/exepkillkillkillallechoclearwgetcurlping/pswiresharktcpdumppythonpython3busyboxiptablesrebootinitinit 6nanonvimvimcpmvcdlscatstringstophtopgrepshbashgdb/mapsmkdirHTTPapt./;rungetshutdown&reboot -fshutdown -rrmftpgettftpncforps
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1 (init), result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 661, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 725, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 726, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 767, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 769, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 782, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 791, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 797, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 801, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 940, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1289, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1299, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1300, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 1309, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 2955, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 2956, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 2991, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 3094, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 3147, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 3157, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 3838, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5331, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5474, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5475, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5493, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5494, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5496, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5499, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5520, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5533, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5538, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5541, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5542, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5547, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5548, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5549, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5550, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5551, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5552, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5553, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5554, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5555, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5556, result: successful Jump to behavior
Source: /tmp/kaq4CUrP8v.elf (PID: 5491) SIGKILL sent: pid: 5557, result: successful Jump to behavior
Source: classification engine Classification label: mal64.spre.troj.evad.linELF@0/0@56/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /bin/fusermount (PID: 5535) File: /proc/5535/mounts Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/kaq4CUrP8v.elf (PID: 5487) File: /tmp/kaq4CUrP8v.elf Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/kaq4CUrP8v.elf (PID: 5487) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5557) Queries kernel information via 'uname': Jump to behavior
Source: kaq4CUrP8v.elf, 5496.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp Binary or memory string: /tmp/vmware-root_726-2957583432
Source: kaq4CUrP8v.elf, 5496.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt
Source: kaq4CUrP8v.elf, 5496.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp Binary or memory string: U/sh4/tmp/vmware-root_726-2957583432
Source: kaq4CUrP8v.elf, 5487.1.00007fffd8869000.00007fffd888a000.rw-.sdmp, kaq4CUrP8v.elf, 5493.1.00007fffd8869000.00007fffd888a000.rw-.sdmp, kaq4CUrP8v.elf, 5494.1.00007fffd8869000.00007fffd888a000.rw-.sdmp, kaq4CUrP8v.elf, 5496.1.00007fffd8869000.00007fffd888a000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sh4
Source: kaq4CUrP8v.elf, 5487.1.00007fffd8869000.00007fffd888a000.rw-.sdmp, kaq4CUrP8v.elf, 5493.1.00007fffd8869000.00007fffd888a000.rw-.sdmp, kaq4CUrP8v.elf, 5494.1.00007fffd8869000.00007fffd888a000.rw-.sdmp, kaq4CUrP8v.elf, 5496.1.00007fffd8869000.00007fffd888a000.rw-.sdmp Binary or memory string: sx86_64/usr/bin/qemu-sh4/tmp/kaq4CUrP8v.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/kaq4CUrP8v.elf
Source: kaq4CUrP8v.elf, 5487.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp, kaq4CUrP8v.elf, 5493.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp, kaq4CUrP8v.elf, 5494.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp, kaq4CUrP8v.elf, 5496.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: kaq4CUrP8v.elf, 5487.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp, kaq4CUrP8v.elf, 5493.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp, kaq4CUrP8v.elf, 5494.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp, kaq4CUrP8v.elf, 5496.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sh4
Source: kaq4CUrP8v.elf, 5496.1.00007fbbb8432000.00007fbbb8435000.rw-.sdmp Binary or memory string: 1/tmp/vmware-root_726-29575834321P
Source: kaq4CUrP8v.elf, 5496.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp Binary or memory string: U1/tmp/vmware-root_726-29575834321Q
Source: kaq4CUrP8v.elf, 5496.1.000055ddfc484000.000055ddfc50d000.rw-.sdmp Binary or memory string: /sh4/tmp/vmware-root_726-2957583432
Source: kaq4CUrP8v.elf, 5496.1.00007fbbb8428000.00007fbbb8432000.rw-.sdmp Binary or memory string: vmware-root_726-2957583432

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.70.149.14
 unknown Bulgaria
208410 INTERNET-HOSTINGBG false
212.70.149.10
 security.REBIRTH-NETWORK.SU Bulgaria
208410 INTERNET-HOSTINGBG false

Contacted Domains

Name IP Active
security.REBIRTH-NETWORK.SU 212.70.149.10 true
kz.adolfhitler.su.M(f<NNPV!a0E@O@@^r5,QkzadolfhitlersusR(fNN unknown unknown
siegheil.hiter.su.`(f->66a0PV!E((P35$;`(fw?NNPV!a0E@@@.P5,^siegheilhitersus`(f66a0PV!E((P35.`(fONNPV!a0E@@@m75,siegheilhitersus`(f66 unknown unknown
kz.adolfhitler.su.(fw66a0PV!EH(]8.Q5-(f\NNPV!a0E@@@ unknown unknown
kz.adolfhitler.su.(fM66a0PV!EH(]k.Q5-(fONNPV!a0E@u@@ unknown unknown
kz.adolfhitler.su.@(fk66a0PV!EH(btT5a#r@(flNNPV!a0E@@@ unknown unknown
siegheil.hiter.su.`(f66a0PV!E((P4p5cG`(fMNNPV!a0E@@@./&5,siegheilhitersus`(f"66a0PV!E((P3X5&.9`(f$JJPV!a0E<@@xF1sX|@.a(f unknown unknown
kz.adolfhitler.su.=(fs66a0PV!E((/i35T+=(fNNPV!a0E@d@@ unknown unknown
sex.secure-cyber-security.(frVVa0PV!EHH/$W54sexsecure-cyber-securitys(fo.VPV!a0EH@@$W%54)#sexsecure-cyber-securit.s(fVVa0PV!EHH!/$W5%4!sexsecure-cyber-securitys(fVV unknown unknown
kz.adolfhitler.su.W(f&NNPV!a0E@@@^r5,Qkzadolfhitlersus\(fJJ unknown unknown
kz.adolfhitler.su.(f066a0PV!E((]E&Q5>2-(fNNPV!a0E@C@@ unknown unknown
siegheil.hiter.su.(fG66a0PV!EH(>px5.(f)JJPV!a0E<Q@@._FEZ3(f`66 unknown unknown
siegheil.hiter.su.(f66a0PV!EH(q5).(f0NNPV!a0E@@@ unknown unknown
kz.adolfhitler.su.\(fJJPV!a0E<cZ@@VF[k](fp5JJPV.a0E<c[@@UF unknown unknown
siegheil.hiter.su.(fAJ66a0PV!EH(q5i.(fKNNPV!a0E@z@@ unknown unknown
kz.adolfhitler.su.(fNNa0PV!EH@/E$W5,$Ckzadolfhitlersus(fZJJ unknown unknown
kz.adolfhitler.su.@(f66a0PV!EH(p'5G<@(fNNPV!a0E@@@ unknown unknown
kz.adolfhitler.su.H(fnNNPV!a0E@@@/^r5,QkzadolfhitlersusM(f<NN unknown unknown
sex.secure-cyber-security.(f'VVa0PV!EHH1/$W54sexsecure-cyber-securitys(f(.JPV!a0E<F@@Fi3Y6<$ unknown unknown
siegheil.hiter.su.`(f"66a0PV!E((P3X5&f9`(f$JJPV!a0E<@@.F1sX|@a(fJJPV!a0E<@@xF1sT..H unknown unknown
kz.adolfhitler.su.A(fZ66a0PV!EH(:t925iDA(fn\JJPV!a0E<@@ unknown unknown
siegheil.hiter.su.`(f66a0PV!E((P35y`(fONNPV!a0E@@@.75,siegheilhitersus`(f66a0PV!E((P4p5.G`(fMNNPV!a0E@@@m/&5,siegheilhiter.us`(f"66a0PV!E((P3X5&f9`(f$JJPV!a0E<@.xF1sX|@a(fJJ unknown unknown
siegheil.hiter.su.`(f66a0PV!E((Pv35`(f#NNPV!a0E@@@.S$5,.siegheilhitersus`(f->66a0PV!E((P35$ unknown unknown
kz.adolfhitler.su.@(f:66a0PV!EH(p5N)@(f;NNPV!a0E@z@@ unknown unknown
sex.secure-cyber-security.(fVVa0PV!EHH!/$W5%4!sexsecure-cyber-securitys(f.VPV!a0EH@@$W54Vsexsecure-cyber-securit.s(f'VVa0PV!EHH1/$W54sexsecure-cyber-securitys(f(JJ unknown unknown
sex.secure-cyber-security.(fnVVa0PV!EHH/2$W5"4$sexsecure-cyber-securitys(fpo.VPV!a0EHo@@$W54 sexsecure-cyber-securit.s(frVVa0PV!EHH/$W54sexsecure-cyber-securitys(foVV unknown unknown
kz.adolfhitler.su.(f`NNa0PV!EH@2/$W5,Ckzadolfhitlersus(fANN unknown unknown
security.rebirth-network.su unknown unknown
kz.adolfhitler.su.(f{66a0PV!EH(].Q5-(f`JJPV!a0E<[@@ unknown unknown
security.rebirth-network.su. unknown unknown
kz.adolfhitler.su.(f&CNNa0PV!EH@/$W5z,iCkzadolfhitlersus(fODNN unknown unknown
siegheil.hiter.su.(fw66a0PV!EH(Uq!5*.(fyNNPV!a0E@@@ unknown unknown
kz.adolfhitler.su.=(fS66a0PV!E((/J45}%+=(f[NNPV!a0E@d@@ unknown unknown
kz.adolfhitler.su.(f2NNa0PV!EH@S/$W5I,Ckzadolfhitlersus(f;3NN unknown unknown
kz.adolfhitler.su.(fNNa0PV!EH@v/$W5~,eCkzadolfhitlersus(fNN unknown unknown
kz.adolfhitler.su.R(fNNPV!a0E@@@^r|5,QkzadolfhitlersusW(f&NN unknown unknown
kz.adolfhitler.su.@(f066a0PV!EH(q56@(f#NNPV!a0E@@@ unknown unknown
kz.adolfhitler.su.=(f<F66a0PV!E((/n359+=(fFNNPV!a0E@d@@ unknown unknown
sex.secure-cyber-security unknown unknown
siegheil.hiter.su.(f66a0PV!EH(.pH5.(fNNPV!a0E@@@ unknown unknown
kz.adolfhitler.su.(f(66a0PV!E((]&Q5-(f)NNPV!a0E@@@ unknown unknown
kz.adolfhitler.su.=(fc66a0PV!E((/45+=(fYdNNPV!a0E@d@@ unknown unknown
sex.secure-cyber-security.(fVVa0PV!EHH/|$W5{4sexsecure-cyber-securitys(f.VPV!a0EHS@@ $W"54p&sexsecure-cyber-securit.s(fnVVa0PV!EHH/2$W5"4$sexsecure-cyber-securitys(fpoVV unknown unknown
kz.adolfhitler.su.=(fS66a0PV!E((/35X+=(fJJPV!a0E<h@@ unknown unknown