Linux Analysis Report
bezWhgH7DL.elf

Overview

General Information

Sample name: bezWhgH7DL.elf
renamed because original name is a hash value
Original sample name: 83d35720ddf336f71e1702a332c590aa.elf
Analysis ID: 1438527
MD5: 83d35720ddf336f71e1702a332c590aa
SHA1: 69e5719152b284a6539d69b9b6e8939c9ba3374c
SHA256: e589db61d5e1b238c153aab66fa63763c6bf23c795c81e7e6794b7cfb70ff9da
Tags: 32elfmiraisparc
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: bezWhgH7DL.elf ReversingLabs: Detection: 55%

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 91.92.244.58 ports 0,1,5,6,9,60195
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:51460 -> 91.92.244.58:60195
Sample listens on a socket
Source: /tmp/bezWhgH7DL.elf (PID: 5435) Socket: 127.0.0.1::63841 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: global traffic DNS traffic detected: DNS query: minuoddos.top
Source: unknown Network traffic detected: HTTP traffic on port 48202 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal52.troj.linELF@0/1@1/0
Enumerates processes within the "proc" file system
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3761/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3122/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3117/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3114/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/914/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/518/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/519/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/5418/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/917/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3637/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/5419/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3134/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3375/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3132/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3095/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/5270/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1745/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1866/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1588/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/884/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1982/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/765/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3246/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/767/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/800/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1906/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/802/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/803/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1748/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/5440/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3420/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1482/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/490/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1480/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1755/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1238/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1875/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/2964/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3413/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1751/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1872/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/2961/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1475/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/656/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/778/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/657/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/658/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/659/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/418/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/936/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/419/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/5438/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/816/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1879/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1891/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3310/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3153/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/780/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/660/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1921/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/783/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1765/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/2974/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3707/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1400/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1884/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3424/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3708/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/2972/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3709/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3147/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/2970/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1881/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3146/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3300/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1805/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1925/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1804/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1648/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1922/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3429/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3442/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3165/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3164/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3163/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3162/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/790/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3161/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/792/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/793/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/672/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1930/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/674/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/795/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3315/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1411/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/2984/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/1410/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/797/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/676/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3434/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3158/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/678/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/679/maps Jump to behavior
Source: /tmp/bezWhgH7DL.elf (PID: 5442) File opened: /proc/3710/maps Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/bezWhgH7DL.elf (PID: 5435) Queries kernel information via 'uname': Jump to behavior
Source: bezWhgH7DL.elf, 5435.1.00005647dec8d000.00005647ded12000.rw-.sdmp, bezWhgH7DL.elf, 5437.1.00005647dec8d000.00005647ded12000.rw-.sdmp, bezWhgH7DL.elf, 5440.1.00005647dec8d000.00005647ded12000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sparc
Source: bezWhgH7DL.elf, 5435.1.00005647dec8d000.00005647ded12000.rw-.sdmp, bezWhgH7DL.elf, 5437.1.00005647dec8d000.00005647ded12000.rw-.sdmp, bezWhgH7DL.elf, 5440.1.00005647dec8d000.00005647ded12000.rw-.sdmp Binary or memory string: GV!/etc/qemu-binfmt/sparc
Source: bezWhgH7DL.elf, 5435.1.00007ffcf99c7000.00007ffcf99e8000.rw-.sdmp, bezWhgH7DL.elf, 5437.1.00007ffcf99c7000.00007ffcf99e8000.rw-.sdmp, bezWhgH7DL.elf, 5440.1.00007ffcf99c7000.00007ffcf99e8000.rw-.sdmp Binary or memory string: @2ROx86_64/usr/bin/qemu-sparc/tmp/bezWhgH7DL.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bezWhgH7DL.elf
Source: bezWhgH7DL.elf, 5435.1.00007ffcf99c7000.00007ffcf99e8000.rw-.sdmp, bezWhgH7DL.elf, 5437.1.00007ffcf99c7000.00007ffcf99e8000.rw-.sdmp, bezWhgH7DL.elf, 5440.1.00007ffcf99c7000.00007ffcf99e8000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sparc

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.92.244.58
 minuoddos.top Bulgaria
34368 THEZONEBG true

Contacted Domains

Name IP Active
minuoddos.top 91.92.244.58 true