Linux Analysis Report
arm4-20240504-1301.elf

Overview

General Information

Sample name: arm4-20240504-1301.elf
Analysis ID: 1436350
MD5: 8952b7451345d100a6ac7edeca7b1d38
SHA1: 0a2615cafe8cf16b4f044c8c4eeb55ec177a590b
SHA256: f0a13d3b2ce216bcd9cdcf9c588a4ea52f615003b2712ca1152a8fb0c6cb9f7e
Infos:

Detection

Gafgyt
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Deletes system log files
Manipulation of devices in /dev
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Name Description Attribution Blogpost URLs Link
Bashlite, Gafgyt Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: arm4-20240504-1301.elf ReversingLabs: Detection: 26%
Source: arm4-20240504-1301.elf Virustotal: Detection: 16% Perma Link
Sample listens on a socket
Source: /tmp/arm4-20240504-1301.elf (PID: 5474) Socket: 127.0.0.1::46373 Jump to behavior
Source: arm4-20240504-1301.elf String found in binary or memory: http://upx.sf.net
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Sample tries to kill a process (SIGKILL)
Source: /tmp/arm4-20240504-1301.elf (PID: 5505) SIGKILL sent: pid: 5503, result: successful Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Manipulation of devices in /dev
Source: /tmp/arm4-20240504-1301.elf (PID: 5479) Deleted: /dev/kmsg Jump to behavior
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5560) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.BT85bFlL7I /tmp/tmp.rrJc4P7Djt /tmp/tmp.nS52FgaGwd Jump to behavior
Source: /usr/bin/dash (PID: 5561) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.BT85bFlL7I /tmp/tmp.rrJc4P7Djt /tmp/tmp.nS52FgaGwd Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes system log files
Source: /tmp/arm4-20240504-1301.elf (PID: 5479) Log files deleted: /var/log/kern.log Jump to behavior
ELF contains segments with high entropy indicating compressed/encrypted content
Source: arm4-20240504-1301.elf Submission file: segment LOAD with 7.7314 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/arm4-20240504-1301.elf (PID: 5474) Queries kernel information via 'uname': Jump to behavior
Source: arm4-20240504-1301.elf, 5474.1.00007ffe4b951000.00007ffe4b972000.rw-.sdmp, arm4-20240504-1301.elf, 5503.1.00007ffe4b951000.00007ffe4b972000.rw-.sdmp, arm4-20240504-1301.elf, 5505.1.00007ffe4b951000.00007ffe4b972000.rw-.sdmp Binary or memory string: vCx86_64/usr/bin/qemu-arm/tmp/arm4-20240504-1301.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm4-20240504-1301.elf
Source: arm4-20240504-1301.elf, 5474.1.0000559cc0415000.0000559cc05e4000.rw-.sdmp, arm4-20240504-1301.elf, 5503.1.0000559cc0415000.0000559cc05e4000.rw-.sdmp, arm4-20240504-1301.elf, 5505.1.0000559cc0415000.0000559cc05e4000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm4-20240504-1301.elf, 5474.1.0000559cc0415000.0000559cc05e4000.rw-.sdmp, arm4-20240504-1301.elf, 5503.1.0000559cc0415000.0000559cc05e4000.rw-.sdmp, arm4-20240504-1301.elf, 5505.1.0000559cc0415000.0000559cc05e4000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: arm4-20240504-1301.elf, 5474.1.00007ffe4b951000.00007ffe4b972000.rw-.sdmp, arm4-20240504-1301.elf, 5503.1.00007ffe4b951000.00007ffe4b972000.rw-.sdmp, arm4-20240504-1301.elf, 5505.1.00007ffe4b951000.00007ffe4b972000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information
barindex
Yara detected Gafgyt
Source: Yara match File source: 5505.1.00007f67f0017000.00007f67f0039000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5503.1.00007f67f0017000.00007f67f0039000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5474.1.00007f67f0017000.00007f67f0039000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Gafgyt
Source: Yara match File source: 5505.1.00007f67f0017000.00007f67f0039000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5503.1.00007f67f0017000.00007f67f0039000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5474.1.00007f67f0017000.00007f67f0039000.r-x.sdmp, type: MEMORY

No Screenshots

No contacted IP infos