Linux Analysis Report
dPOYR1HYAD.elf

ID:	1432064
Product:	CloudBasic
Start time:	11:16:56
Start date:	26.04.2024
Sample:	dPOYR1HYAD.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	41d3ee7390ce39e60f95c0144128fc45
SHA1:	3c5e22a7c783a22f3de39b448911ab294847532b
SHA256:	2fa1aa901170e3b67af6006da325523b38bd610ac387cfeeac3dc55ea9e9aa55
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: dPOYR1HYAD.elf	ReversingLabs: Detection: 15%
Source: dPOYR1HYAD.elf	Virustotal: Detection: 13%			Perma Link

Bitcoin Miner

Source: /tmp/dPOYR1HYAD.elf (PID: 6211)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Networking

Source: dPOYR1HYAD.elf

String found in binary or memory: http://upx.sf.net

System Summary

Source: LOAD without section mappings

Program segment: 0x400000

Source: /tmp/dPOYR1HYAD.elf (PID: 6211)	SIGKILL sent: pid: -6209, result: unknown			Jump to behavior
Source: /tmp/dPOYR1HYAD.elf (PID: 6294)	SIGKILL sent: pid: 6294, result: unknown			Jump to behavior

Source: classification engine

Classification label: mal60.troj.evad.linELF@0/0@0/0

Data Obfuscation

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 4.30 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Source: /usr/bin/dash (PID: 6247)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.RsMkx57hJx /tmp/tmp.br4Wgx1gNE /tmp/tmp.pUQWfyOGYi			Jump to behavior
Source: /usr/bin/dash (PID: 6256)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.RsMkx57hJx /tmp/tmp.br4Wgx1gNE /tmp/tmp.pUQWfyOGYi			Jump to behavior

Source: /tmp/dPOYR1HYAD.elf (PID: 6211)	Reads from proc file: /proc/cpuinfo			Jump to behavior
Source: /tmp/dPOYR1HYAD.elf (PID: 6211)	Reads from proc file: /proc/meminfo			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: dPOYR1HYAD.elf	Submission file: segment LOAD with 7.5156 entropy (max. 8.0)
Source: dPOYR1HYAD.elf	Submission file: segment LOAD with 7.6806 entropy (max. 8.0)

Malware Analysis System Evasion

Source: /tmp/dPOYR1HYAD.elf (PID: 6211)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /tmp/dPOYR1HYAD.elf (PID: 6205)

Queries kernel information via 'uname':

Jump to behavior

Source: dPOYR1HYAD.elf, 6205.1.000055f11acfa000.000055f11ad81000.rw-.sdmp, dPOYR1HYAD.elf, 6209.1.000055f11acfa000.000055f11ad81000.rw-.sdmp, dPOYR1HYAD.elf, 6211.1.000055f11acfa000.000055f11ad81000.rw-.sdmp, dPOYR1HYAD.elf, 6294.1.000055f11acfa000.000055f11ad81000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: dPOYR1HYAD.elf, 6205.1.000055f11acfa000.000055f11ad81000.rw-.sdmp, dPOYR1HYAD.elf, 6209.1.000055f11acfa000.000055f11ad81000.rw-.sdmp, dPOYR1HYAD.elf, 6211.1.000055f11acfa000.000055f11ad81000.rw-.sdmp, dPOYR1HYAD.elf, 6294.1.000055f11acfa000.000055f11ad81000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: dPOYR1HYAD.elf, 6205.1.00007ffc8cd5a000.00007ffc8cd7b000.rw-.sdmp, dPOYR1HYAD.elf, 6209.1.00007ffc8cd5a000.00007ffc8cd7b000.rw-.sdmp, dPOYR1HYAD.elf, 6211.1.00007ffc8cd5a000.00007ffc8cd7b000.rw-.sdmp, dPOYR1HYAD.elf, 6294.1.00007ffc8cd5a000.00007ffc8cd7b000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: dPOYR1HYAD.elf, 6205.1.00007ffc8cd5a000.00007ffc8cd7b000.rw-.sdmp, dPOYR1HYAD.elf, 6209.1.00007ffc8cd5a000.00007ffc8cd7b000.rw-.sdmp, dPOYR1HYAD.elf, 6211.1.00007ffc8cd5a000.00007ffc8cd7b000.rw-.sdmp, dPOYR1HYAD.elf, 6294.1.00007ffc8cd5a000.00007ffc8cd7b000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/dPOYR1HYAD.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/dPOYR1HYAD.elf

Stealing of Sensitive Information

Source: Yara match	File source: 6205.1.00007f25c4400000.00007f25c4426000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6209.1.00007f25c4400000.00007f25c4426000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6211.1.00007f25c4400000.00007f25c4426000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6294.1.00007f25c4400000.00007f25c4426000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dPOYR1HYAD.elf PID: 6205, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dPOYR1HYAD.elf PID: 6209, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dPOYR1HYAD.elf PID: 6211, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dPOYR1HYAD.elf PID: 6294, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 6205.1.00007f25c4400000.00007f25c4426000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6209.1.00007f25c4400000.00007f25c4426000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6211.1.00007f25c4400000.00007f25c4426000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6294.1.00007f25c4400000.00007f25c4426000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dPOYR1HYAD.elf PID: 6205, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dPOYR1HYAD.elf PID: 6209, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dPOYR1HYAD.elf PID: 6211, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dPOYR1HYAD.elf PID: 6294, type: MEMORYSTR