Linux Analysis Report
fsa.elf

Overview

General Information

Sample name: fsa.elf
Analysis ID: 1431994
MD5: 5e692b7351f3ed9e69629ed39d66a0c5
SHA1: f47809e62dc517133dc7b45bb517fcd23a181673
SHA256: 3f63c1d262a6e900833b2dbd615f72006785c124d4ca7fda01cd621ca615865f
Tags: elf
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: fsa.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: fsa.elf ReversingLabs: Detection: 39%
Source: fsa.elf Virustotal: Detection: 35% Perma Link
Machine Learning detection for sample
Source: fsa.elf Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33606 version: TLS 1.2
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: fsa.elf, 6214.1.000000c000000000.000000c000400000.rw-.sdmp String found in binary or memory: http://127.0.0.1:8080
Source: fsa.elf String found in binary or memory: http://upx.sf.net
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33606 version: TLS 1.2
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Source: classification engine Classification label: mal64.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6218) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.eaYG9ch38r /tmp/tmp.qhU28QogYd /tmp/tmp.gr2Bn6czuc Jump to behavior
Source: /usr/bin/dash (PID: 6227) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.eaYG9ch38r /tmp/tmp.qhU28QogYd /tmp/tmp.gr2Bn6czuc Jump to behavior
Source: submitted sample Stderr: ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ // /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.0Usage of /tmp/fsa.elf: -br int Brute threads (default 1) -c string exec command (ssh) -cookie string set poc cookie,-cookie rememberMe=login -debug int every time to LogErr (default 60) -domain string smb domain -full poc full scan,as: shiro 100 key -h string IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12 -hf string host file, -hf ip.txt -hn string the hosts no scan,as: -hn 192.168.1.1/24 -m string Select scan type ,as: -m ssh (default "all") -no not to save output log -nobr not to Brute password -nopoc not to scan web vul -np not to ping -num int poc rate (default 20) -o string Outputfile (default "result.txt") -p string Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017") -pa string add port base DefaultPorts,-pa 3389 -path string fcgismb romote file path -ping using ping replace icmp -pn string the ports no scan,as: -pn 445 -pocname string use the pocs these contain pocname, -pocname weblogic -pocpath string poc file path -portf string Port File -proxy string set poc proxy, -proxy http://127.0.0.1:8080 -pwd string password -pwda string add a password base DefaultPasses,-pwda password -pwdf string password file -rf string redis file to write sshkey file (as: -rf id_rsa.pub) -rs string redis shell to write cron file (as: -rs 192.168.1.1:6666) -sc string ms17 shellcode,as -sc add -silent silent scan -socks5 string set socks5 proxy, will be used in tcp connection, timeout setting will not work -sshkey string sshkey file (id_rsa) -t int Thread nums (default 600) -time int Set timeout (default 3) -top int show live len top (default 10) -u string url -uf string urlfile -user string username -usera string add a user base DefaultUsers,-usera user -userf string username file -wt int Set web timeout (default 5): exit code = 0
ELF contains segments with high entropy indicating compressed/encrypted content
Source: fsa.elf Submission file: segment LOAD with 7.9224 entropy (max. 8.0)

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.171.230.55
 unknown United States
16509 AMAZON-02US false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false