Linux Analysis Report
4GtFbR4O3j.elf

Overview

General Information

Sample name:	4GtFbR4O3j.elf renamed because original name is a hash value
Original sample name:	8264e58a77b9ca4424a8d9a9863e0ee6.elf
Analysis ID:	1432417
MD5:	8264e58a77b9ca4424a8d9a9863e0ee6
SHA1:	7d1446707b7db9ed4317637264f6414c9a151ff6
SHA256:	e1dbc46eea55f940b6f63822b88b45e4be4fd122deb867a55e13f7b3820678ec
Tags:	32armelfmirai
Infos:

Detection

Gafgyt

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Gafgyt

Deletes system log files

Manipulation of devices in /dev

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 4GtFbR4O3j.elf

ReversingLabs: Detection: 52%

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.13:49468 -> 94.156.248.19:5667

Sample listens on a socket

Source: /tmp/4GtFbR4O3j.elf (PID: 5433)

Socket: 127.0.0.1::46373

Jump to behavior

Source: unknown

UDP traffic detected without corresponding DNS query: 51.77.149.139

Source: global traffic

DNS traffic detected: DNS query: servernoworky.geek

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal64.troj.evad.linELF@0/0@1/0

Data Obfuscation

Manipulation of devices in /dev

Source: /tmp/4GtFbR4O3j.elf (PID: 5440)

Deleted: /dev/kmsg

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes system log files

Source: /tmp/4GtFbR4O3j.elf (PID: 5440)

Log files deleted: /var/log/kern.log

Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/4GtFbR4O3j.elf (PID: 5433)

Queries kernel information via 'uname':

Jump to behavior

Source: 4GtFbR4O3j.elf, 5433.1.00007ffeca6f1000.00007ffeca712000.rw-.sdmp, 4GtFbR4O3j.elf, 5437.1.00007ffeca6f1000.00007ffeca712000.rw-.sdmp	Binary or memory string: c_x86_64/usr/bin/qemu-arm/tmp/4GtFbR4O3j.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/4GtFbR4O3j.elf
Source: 4GtFbR4O3j.elf, 5433.1.000055a125c5f000.000055a125dd5000.rw-.sdmp, 4GtFbR4O3j.elf, 5437.1.000055a125c5f000.000055a125dd5000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: 4GtFbR4O3j.elf, 5433.1.000055a125c5f000.000055a125dd5000.rw-.sdmp, 4GtFbR4O3j.elf, 5437.1.000055a125c5f000.000055a125dd5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 4GtFbR4O3j.elf, 5433.1.00007ffeca6f1000.00007ffeca712000.rw-.sdmp, 4GtFbR4O3j.elf, 5437.1.00007ffeca6f1000.00007ffeca712000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match	File source: 4GtFbR4O3j.elf, type: SAMPLE
Source: Yara match	File source: 5437.1.00007f57a4017000.00007f57a4039000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5433.1.00007f57a4017000.00007f57a4039000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match	File source: 4GtFbR4O3j.elf, type: SAMPLE
Source: Yara match	File source: 5437.1.00007f57a4017000.00007f57a4039000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5433.1.00007f57a4017000.00007f57a4039000.r-x.sdmp, type: MEMORY

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.248.19	unknown	Bulgaria		34224	NETERRA-ASBG	false

Contacted Domains

Name	IP	Active
servernoworky.geek	94.156.248.18	true

ID:	1432417
Product:	CloudBasic
Start time:	01:29:06
Start date:	27.04.2024
Sample:	4GtFbR4O3j.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	8264e58a77b9ca4424a8d9a9863e0ee6
SHA1:	7d1446707b7db9ed4317637264f6414c9a151ff6
SHA256:	e1dbc46eea55f940b6f63822b88b45e4be4fd122deb867a55e13f7b3820678ec
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
4GtFbR4O3j.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report 4GtFbR4O3j.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
4GtFbR4O3j.elf

Malware Threat Intel
Provided by