Linux Analysis Report
vtuYyqk0Xt.elf

Overview

General Information

Sample name: vtuYyqk0Xt.elf
renamed because original name is a hash value
Original sample name: 793be16fef4f582681cbce1dccbb7bef.elf
Analysis ID: 1432416
MD5: 793be16fef4f582681cbce1dccbb7bef
SHA1: 9ba868063f527b9dd3b2e6ef6a593443a9e12198
SHA256: fb088cec2214538871e219a8f90f737cbdb9b759d2473d92efe9de084fbc9e30
Tags: 32armelfmirai
Infos:

Detection

Gafgyt
Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Deletes system log files
Manipulation of devices in /dev
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Name Description Attribution Blogpost URLs Link
Bashlite, Gafgyt Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: vtuYyqk0Xt.elf ReversingLabs: Detection: 52%
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:60500 -> 94.156.248.19:5667
Sample listens on a socket
Source: /tmp/vtuYyqk0Xt.elf (PID: 6222) Socket: 127.0.0.1::46373 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: global traffic DNS traffic detected: DNS query: retardedclassmate.dyn
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal64.troj.evad.linELF@0/0@1/0

Data Obfuscation
barindex
Manipulation of devices in /dev
Source: /tmp/vtuYyqk0Xt.elf (PID: 6230) Deleted: /dev/kmsg Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes system log files
Source: /tmp/vtuYyqk0Xt.elf (PID: 6230) Log files deleted: /var/log/kern.log Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/vtuYyqk0Xt.elf (PID: 6222) Queries kernel information via 'uname': Jump to behavior
Source: vtuYyqk0Xt.elf, 6222.1.00007ffcbb3ee000.00007ffcbb40f000.rw-.sdmp, vtuYyqk0Xt.elf, 6226.1.00007ffcbb3ee000.00007ffcbb40f000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/vtuYyqk0Xt.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/vtuYyqk0Xt.elf
Source: vtuYyqk0Xt.elf, 6222.1.000055ae47fa9000.000055ae4811f000.rw-.sdmp, vtuYyqk0Xt.elf, 6226.1.000055ae47fa9000.000055ae4811f000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: vtuYyqk0Xt.elf, 6222.1.000055ae47fa9000.000055ae4811f000.rw-.sdmp, vtuYyqk0Xt.elf, 6226.1.000055ae47fa9000.000055ae4811f000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: vtuYyqk0Xt.elf, 6222.1.00007ffcbb3ee000.00007ffcbb40f000.rw-.sdmp, vtuYyqk0Xt.elf, 6226.1.00007ffcbb3ee000.00007ffcbb40f000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information
barindex
Yara detected Gafgyt
Source: Yara match File source: vtuYyqk0Xt.elf, type: SAMPLE
Source: Yara match File source: 6226.1.00007f95f0017000.00007f95f0038000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6222.1.00007f95f0017000.00007f95f0038000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Gafgyt
Source: Yara match File source: vtuYyqk0Xt.elf, type: SAMPLE
Source: Yara match File source: 6226.1.00007f95f0017000.00007f95f0038000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6222.1.00007f95f0017000.00007f95f0038000.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.156.248.19
 unknown Bulgaria
34224 NETERRA-ASBG false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
retardedclassmate.dyn 85.239.33.65 true