Linux Analysis Report
Ym7yz87EyV.elf

ID:	1431595
Product:	CloudBasic
Start time:	13:55:11
Start date:	25.04.2024
Sample:	Ym7yz87EyV.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	78068eac98e9fd37115c26b982e1d5ec
SHA1:	97647b7b46b265fbab2742847d9c4cb591cef03b
SHA256:	43f34871536a4c4659960f4ddd8f46c10308687b0a5030ebe73691e0c7dc7d00
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: Ym7yz87EyV.elf

Avira: detected

Source: Ym7yz87EyV.elf	Virustotal: Detection: 41%			Perma Link
Source: Ym7yz87EyV.elf	ReversingLabs: Detection: 48%

Spreading

Source: Ym7yz87EyV.elf

String: HTTP/1.1 200 OKcundi.armcundi.arm5cundi.arm6cundi.arm7cundi.mipscundi.mpslcundi.x86_64cundi.sh4/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlbusyboxecho/proc/proc/%d/cmdlineabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt3f

Networking

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Source: Ym7yz87EyV.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5492.1.00007f3bb4400000.00007f3bb441a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Ym7yz87EyV.elf PID: 5492, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKcundi.armcundi.arm5cundi.arm6cundi.arm7cundi.mipscundi.mpslcundi.x86_64cundi.sh4/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlbusyboxecho/proc/proc/%d/cmdlineabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt3f

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Ym7yz87EyV.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5492.1.00007f3bb4400000.00007f3bb441a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Ym7yz87EyV.elf PID: 5492, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.linELF@0/0@2/0

Malware Analysis System Evasion

Source: /tmp/Ym7yz87EyV.elf (PID: 5492)

Queries kernel information via 'uname':

Jump to behavior

Source: Ym7yz87EyV.elf, 5492.1.00007ffe71545000.00007ffe71566000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: Ym7yz87EyV.elf, 5492.1.000055d3e8374000.000055d3e83d7000.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: Ym7yz87EyV.elf, 5492.1.000055d3e8374000.000055d3e83d7000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: Ym7yz87EyV.elf, 5492.1.00007ffe71545000.00007ffe71566000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: Ym7yz87EyV.elf, 5492.1.00007ffe71545000.00007ffe71566000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/Ym7yz87EyV.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Ym7yz87EyV.elf

Stealing of Sensitive Information

Source: Yara match	File source: Ym7yz87EyV.elf, type: SAMPLE
Source: Yara match	File source: 5492.1.00007f3bb4400000.00007f3bb441a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ym7yz87EyV.elf PID: 5492, type: MEMORYSTR

Source: Yara match	File source: Ym7yz87EyV.elf, type: SAMPLE
Source: Yara match	File source: 5492.1.00007f3bb4400000.00007f3bb441a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ym7yz87EyV.elf PID: 5492, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: Ym7yz87EyV.elf, type: SAMPLE
Source: Yara match	File source: 5492.1.00007f3bb4400000.00007f3bb441a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ym7yz87EyV.elf PID: 5492, type: MEMORYSTR

Source: Yara match	File source: Ym7yz87EyV.elf, type: SAMPLE
Source: Yara match	File source: 5492.1.00007f3bb4400000.00007f3bb441a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ym7yz87EyV.elf PID: 5492, type: MEMORYSTR