Linux Analysis Report earyzq

Overview

General Information

Sample Name: earyzq
Analysis ID: 492062
MD5: 7fecf5809e5ab66224e0f08c40a8777a
SHA1: f78296acac2c310e035d04907bbdfabd75c40454
SHA256: 41af33fe2b340a117e8e87a6763817049e004fb58820f0242388b8e75470dd2e
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Contains symbols with names commonly found in malware
Opens /proc/net/* files useful for finding connected devices and routers
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: earyzq Virustotal: Detection: 51% Perma Link
Source: earyzq ReversingLabs: Detection: 51%

Spreading:

barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/earyzq (PID: 5225) Opens: /proc/net/route Jump to behavior

Networking:

barindex
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:53654 -> 178.128.193.205:606
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205
Source: unknown TCP traffic detected without corresponding DNS query: 178.128.193.205

System Summary:

barindex
Contains symbols with names commonly found in malware
Source: ELF static info symbol of initial sample Name: vseattack
Source: classification engine Classification label: mal56.spre.lin@0/1@0/0
Source: ELF static info symbol of initial sample FILE: libc/string/mips/memcpy.S
Source: ELF static info symbol of initial sample FILE: libc/string/mips/memset.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/mips/crt1.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/mips/crti.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/mips/crtn.S

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/earyzq (PID: 5225) Queries kernel information via 'uname': Jump to behavior
Source: earyzq, 5225.1.00000000d266644f.000000004696e3f6.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/mips
Source: earyzq, 5225.1.00000000459f8d37.00000000f614ad06.rw-.sdmp Binary or memory string: V/tmp/qemu-open.u9Ui0f\
Source: earyzq, 5225.1.00000000d266644f.000000004696e3f6.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: earyzq, 5225.1.00000000459f8d37.00000000f614ad06.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/earyzqSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/earyzq
Source: earyzq, 5225.1.00000000459f8d37.00000000f614ad06.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: earyzq, 5225.1.00000000459f8d37.00000000f614ad06.rw-.sdmp Binary or memory string: /tmp/qemu-open.u9Ui0f

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.128.193.205
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false