Linux Analysis Report
bNfT1T8DVz.elf

Overview

General Information

Sample name: bNfT1T8DVz.elf
renamed because original name is a hash value
Original sample name: e7095714fd3abf47d7f7e388da9348d7.elf
Analysis ID: 1432501
MD5: e7095714fd3abf47d7f7e388da9348d7
SHA1: f5cd314c44f9b80b9e89c3165f7967edfd55bb48
SHA256: 1e9725107dc8b5503189c7b3681788ebffd83916473e67176e8825e2040af488
Tags: 32armelfmirai
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads system version information
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: bNfT1T8DVz.elf ReversingLabs: Detection: 57%
Source: bNfT1T8DVz.elf Virustotal: Detection: 59% Perma Link

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 5.181.80.140 ports 38241,1,2,3,4,8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:56428 -> 5.181.80.140:38241
Sample listens on a socket
Source: /tmp/bNfT1T8DVz.elf (PID: 6028) Socket: 127.0.0.1::39148 Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: global traffic DNS traffic detected: DNS query: netfags.geek
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal52.troj.linELF@0/0@1/0
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/lib/snapd/snap-failure (PID: 6079) Systemctl executable: /usr/bin/systemctl -> systemctl stop snapd.socket Jump to behavior
Reads system version information
Source: /usr/lib/snapd/snap-failure (PID: 6065) Reads version info: /proc/version Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/bNfT1T8DVz.elf (PID: 6028) Queries kernel information via 'uname': Jump to behavior
Source: bNfT1T8DVz.elf, 6028.1.00007ffdaee67000.00007ffdaee88000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/bNfT1T8DVz.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bNfT1T8DVz.elf
Source: bNfT1T8DVz.elf, 6028.1.0000560e81b80000.0000560e81cae000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: bNfT1T8DVz.elf, 6028.1.00007ffdaee67000.00007ffdaee88000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: bNfT1T8DVz.elf, 6028.1.0000560e81b80000.0000560e81cae000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/arm

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.181.80.140
 unknown Bulgaria
57344 TELEHOUSE-ASBG true

Contacted Domains

Name IP Active
netfags.geek 5.181.80.59 true