Linux Analysis Report
yI52EULGv3.elf

Overview

General Information

Sample name: yI52EULGv3.elf
renamed because original name is a hash value
Original sample name: fff941174b72a89e35fe36d85ec4bb96.elf
Analysis ID: 1431014
MD5: fff941174b72a89e35fe36d85ec4bb96
SHA1: 3535d4a54bae39e4d3088d0d7b19ae7fc2b9c61a
SHA256: 6a50f310a5ea0865540e663d7dcb638811866ee537bd60cfdc4a45afae9a998d
Tags: 32elfmiraimotorola
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Sets full permissions to files and/or directories
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: yI52EULGv3.elf Virustotal: Detection: 43% Perma Link
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:37030 -> 94.156.71.75:5683
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.71.75
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.71.75
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.71.75
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.71.75
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.71.75
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/yI52EULGv3.elf (PID: 5517) SIGKILL sent: pid: 0 (kernel), result: unknown Jump to behavior
Source: classification engine Classification label: mal48.linELF@0/0@0/0
Executes commands using a shell command-line interpreter
Source: /tmp/yI52EULGv3.elf (PID: 5519) Shell command executed: sh -c "mkdir /tuqrq95kgq/ && >/tuqrq95kgq/tuqrq95kgq && cd /tuqrq95kgq/ >/dev/null" Jump to behavior
Source: /tmp/yI52EULGv3.elf (PID: 5522) Shell command executed: sh -c "mv /tmp/yI52EULGv3.elf /tuqrq95kgq/tuqrq95kgq && chmod 777 /tuqrq95kgq/tuqrq95kgq >/dev/null" Jump to behavior
Executes the "chmod" command used to modify permissions
Source: /bin/sh (PID: 5525) Chmod executable: /usr/bin/chmod -> chmod 777 /tuqrq95kgq/tuqrq95kgq Jump to behavior
Executes the "mkdir" command used to create folders
Source: /bin/sh (PID: 5521) Mkdir executable: /usr/bin/mkdir -> mkdir /tuqrq95kgq/ Jump to behavior
Sample tries to set the executable flag
Source: /usr/bin/chmod (PID: 5525) File: /tuqrq95kgq/tuqrq95kgq (bits: - usr: rwx grp: rwx all: rwx) Jump to behavior
Sets full permissions to files and/or directories
Source: /bin/sh (PID: 5525) Chmod executable with 777: /usr/bin/chmod -> chmod 777 /tuqrq95kgq/tuqrq95kgq Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/yI52EULGv3.elf (PID: 5513) Queries kernel information via 'uname': Jump to behavior
Source: yI52EULGv3.elf, 5513.1.000055700709b000.0000557007120000.rw-.sdmp, yI52EULGv3.elf, 5515.1.000055700709b000.00005570070ff000.rw-.sdmp, yI52EULGv3.elf, 5517.1.000055700709b000.00005570070ff000.rw-.sdmp Binary or memory string: pU!/etc/qemu-binfmt/m68k
Source: yI52EULGv3.elf, 5513.1.00007ffca8860000.00007ffca8881000.rw-.sdmp, yI52EULGv3.elf, 5515.1.00007ffca8860000.00007ffca8881000.rw-.sdmp, yI52EULGv3.elf, 5517.1.00007ffca8860000.00007ffca8881000.rw-.sdmp Binary or memory string: /usr/bin/qemu-m68k
Source: yI52EULGv3.elf, 5513.1.000055700709b000.0000557007120000.rw-.sdmp, yI52EULGv3.elf, 5515.1.000055700709b000.00005570070ff000.rw-.sdmp, yI52EULGv3.elf, 5517.1.000055700709b000.00005570070ff000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/m68k
Source: yI52EULGv3.elf, 5513.1.00007ffca8860000.00007ffca8881000.rw-.sdmp, yI52EULGv3.elf, 5515.1.00007ffca8860000.00007ffca8881000.rw-.sdmp, yI52EULGv3.elf, 5517.1.00007ffca8860000.00007ffca8881000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/yI52EULGv3.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yI52EULGv3.elf

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.156.71.75
 unknown Bulgaria
31420 TERASYST-ASBG false