Linux Analysis Report
X53Hpyg7Aj.elf

Overview

General Information

Sample name: X53Hpyg7Aj.elf
renamed because original name is a hash value
Original sample name: 978cd5ae0c8dcba7257cab900f56f797.elf
Analysis ID: 1430997
MD5: 978cd5ae0c8dcba7257cab900f56f797
SHA1: 1babf5e272870641682f738791dfd7089a33a394
SHA256: dc3845a6da683c46b1efe6bb8fa5f6d745f3de4fb4f2da7c4b4de4ee6529d3ee
Tags: 32armelfmirai
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample deletes itself
Found strings indicative of a multi-platform dropper
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: X53Hpyg7Aj.elf Virustotal: Detection: 17% Perma Link
Source: X53Hpyg7Aj.elf ReversingLabs: Detection: 15%
Found strings indicative of a multi-platform dropper
Source: X53Hpyg7Aj.elf String: pts/ttysocket:[/proc/net/tcp /proc/%d/exepkillkillkillallechoclearwgetcurlping/pswiresharktcpdumppythonpython3busyboxiptablesrebootinitinit 6nanonvimvimcpmvcdlscatstringstophtopgrepshbashgdb/mapsmkdirHTTPapt./;rungetshutdown&reboot -fshutdown -rrmftpgettftpncforps
Sample listens on a socket
Source: /tmp/X53Hpyg7Aj.elf (PID: 5510) Socket: 127.0.0.1::8345 Jump to behavior
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: pts/ttysocket:[/proc/net/tcp /proc/%d/exepkillkillkillallechoclearwgetcurlping/pswiresharktcpdumppythonpython3busyboxiptablesrebootinitinit 6nanonvimvimcpmvcdlscatstringstophtopgrepshbashgdb/mapsmkdirHTTPapt./;rungetshutdown&reboot -fshutdown -rrmftpgettftpncforps
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/X53Hpyg7Aj.elf (PID: 5514) SIGKILL sent: pid: 888, result: successful Jump to behavior
Source: classification engine Classification label: mal52.evad.linELF@0/0@0/0
Reads system information from the proc file system
Source: /tmp/X53Hpyg7Aj.elf (PID: 5512) Reads from proc file: /proc/stat Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/X53Hpyg7Aj.elf (PID: 5510) File: /tmp/X53Hpyg7Aj.elf Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/X53Hpyg7Aj.elf (PID: 5510) Queries kernel information via 'uname': Jump to behavior
Source: X53Hpyg7Aj.elf, 5510.1.000055fd2d627000.000055fd2d77c000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: X53Hpyg7Aj.elf, 5510.1.00007ffd06ffc000.00007ffd0701d000.rw-.sdmp Binary or memory string: 2x86_64/usr/bin/qemu-arm/tmp/X53Hpyg7Aj.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/X53Hpyg7Aj.elf
Source: X53Hpyg7Aj.elf, 5510.1.000055fd2d627000.000055fd2d77c000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: X53Hpyg7Aj.elf, 5510.1.00007ffd06ffc000.00007ffd0701d000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
windows-stand
No contacted IP infos