Linux Analysis Report
tftp

Overview

General Information

Sample Name: tftp
Analysis ID: 635352
MD5: b8724cd89cae5c44cc8d2b90b85a4f11
SHA1: ef35fa64fc9dbcf8bd31fffa0a49ce194a945654
SHA256: 4a6d9163d3d9725bf5ecb8bc126a740e246b921ee675007665c147178c8784f7
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Opens /proc/net/* files useful for finding connected devices and routers
Sample contains symbols with suspicious names
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: tftp Avira: detected
Multi AV Scanner detection for submitted file
Source: tftp Virustotal: Detection: 62% Perma Link

Spreading
barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/tftp (PID: 6232) Opens: /proc/net/route Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2840333 ETPRO TROJAN ELF/BASHLITE Variant CnC Activity 192.168.2.23:57822 -> 45.95.55.12:23
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 2.2.2.2
Source: unknown TCP traffic detected without corresponding DNS query: 3.3.3.3
Source: unknown TCP traffic detected without corresponding DNS query: 4.4.4.4
Source: unknown TCP traffic detected without corresponding DNS query: 5.5.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 7.7.7.7
Source: unknown TCP traffic detected without corresponding DNS query: 6.6.6.6
Source: unknown TCP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown TCP traffic detected without corresponding DNS query: 11.11.11.11
Source: unknown TCP traffic detected without corresponding DNS query: 12.12.12.12
Source: unknown TCP traffic detected without corresponding DNS query: 13.13.13.13
Source: unknown TCP traffic detected without corresponding DNS query: 14.14.14.14
Source: unknown TCP traffic detected without corresponding DNS query: 15.15.15.15
Source: unknown TCP traffic detected without corresponding DNS query: 16.16.16.16
Source: unknown TCP traffic detected without corresponding DNS query: 17.17.17.17
Source: unknown TCP traffic detected without corresponding DNS query: 18.18.18.18
Source: unknown TCP traffic detected without corresponding DNS query: 19.19.19.19
Source: unknown TCP traffic detected without corresponding DNS query: 20.20.20.20
Source: unknown TCP traffic detected without corresponding DNS query: 21.21.21.21
Source: unknown TCP traffic detected without corresponding DNS query: 22.22.22.22
Source: unknown TCP traffic detected without corresponding DNS query: 23.23.23.23
Source: unknown TCP traffic detected without corresponding DNS query: 24.24.24.24
Source: unknown TCP traffic detected without corresponding DNS query: 25.25.25.25
Source: unknown TCP traffic detected without corresponding DNS query: 26.26.26.26
Source: unknown TCP traffic detected without corresponding DNS query: 27.27.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 28.28.28.28
Source: unknown TCP traffic detected without corresponding DNS query: 29.29.29.29
Source: unknown TCP traffic detected without corresponding DNS query: 30.30.30.30
Source: unknown TCP traffic detected without corresponding DNS query: 31.31.31.31
Source: unknown TCP traffic detected without corresponding DNS query: 33.33.33.33
Source: unknown TCP traffic detected without corresponding DNS query: 32.32.32.32
Source: unknown TCP traffic detected without corresponding DNS query: 34.34.34.34
Source: unknown TCP traffic detected without corresponding DNS query: 36.36.36.36
Source: unknown TCP traffic detected without corresponding DNS query: 35.35.35.35
Source: unknown TCP traffic detected without corresponding DNS query: 37.37.37.37
Source: unknown TCP traffic detected without corresponding DNS query: 38.38.38.38
Source: unknown TCP traffic detected without corresponding DNS query: 39.39.39.39
Source: unknown TCP traffic detected without corresponding DNS query: 40.40.40.40
Source: unknown TCP traffic detected without corresponding DNS query: 42.42.42.42
Source: unknown TCP traffic detected without corresponding DNS query: 41.41.41.41
Source: unknown TCP traffic detected without corresponding DNS query: 44.44.44.44
Source: unknown TCP traffic detected without corresponding DNS query: 43.43.43.43
Source: unknown TCP traffic detected without corresponding DNS query: 45.45.45.45
Source: unknown TCP traffic detected without corresponding DNS query: 46.46.46.46
Source: unknown TCP traffic detected without corresponding DNS query: 48.48.48.48
Source: tftp String found in binary or memory: http://45.95.55.12/bins.sh;
Sample contains symbols with suspicious names
Source: ELF static info symbol of initial sample Name: passwords
Source: classification engine Classification label: mal68.spre.lin@0/0@0/0
Source: ELF static info symbol of initial sample FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: libc/string/arm/_memcpy.S
Source: ELF static info symbol of initial sample FILE: libc/string/arm/memcpy.S
Source: ELF static info symbol of initial sample FILE: libc/string/arm/memset.S
Source: ELF static info symbol of initial sample FILE: libc/string/arm/strcmp.S
Source: ELF static info symbol of initial sample FILE: libc/string/arm/strlen.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/crt1.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/crti.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/crtn.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/sigrestorer.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/vfork.S
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/tftp (PID: 6232) Queries kernel information via 'uname': Jump to behavior
Source: tftp, 6232.1.00000000ec6b475a.0000000062454580.rw-.sdmp, tftp, 6234.1.00000000ec6b475a.0000000062454580.rw-.sdmp Binary or memory string: DTx86_64/usr/bin/qemu-arm/tmp/tftpSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tftp
Source: tftp, 6232.1.00000000881ed728.000000009695d3f6.rw-.sdmp, tftp, 6234.1.00000000881ed728.000000009695d3f6.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: tftp, 6232.1.00000000ec6b475a.0000000062454580.rw-.sdmp, tftp, 6234.1.00000000ec6b475a.0000000062454580.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: tftp, 6232.1.00000000881ed728.000000009695d3f6.rw-.sdmp, tftp, 6234.1.00000000881ed728.000000009695d3f6.rw-.sdmp Binary or memory string: ASiU!/etc/qemu-binfmt/arm

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
168.92.30.125
 unknown United States
16399 FIRSTCOMM-AS2US false
62.12.132.129
 unknown Switzerland
15623 CYBERLINKCyberlinkAGCH false
115.165.142.94
 unknown Japan 9365 ITSCOMitscommunicationsIncJP false
85.164.112.44
 unknown Norway
2119 TELENOR-NEXTELTelenorNorgeASNO false
87.164.170.161
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
202.105.114.179
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
116.19.113.163
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
23.125.91.155
 unknown United States
7018 ATT-INTERNET4US false
126.67.106.10
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
153.174.172.38
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
110.110.110.110
 unknown China
38341 CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN false
140.185.185.201
 unknown United States
27087 DNIC-ASBLK-27032-27159US false
72.72.72.72
 unknown United States
701 UUNETUS false
199.105.180.183
 unknown United States
17229 ATT-CERFNET-BLOCKUS false
175.76.181.122
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
158.158.158.158
 unknown Singapore
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
144.75.151.32
 unknown United States
14169 VMI-ASNUS false
155.124.245.198
 unknown United States
35163 BRAUN-ASDE false
177.108.184.65
 unknown Brazil
26615 TIMSABR false
134.187.57.62
 unknown United States
1226 CTA-42-AS1226US false
217.94.93.163
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
183.183.183.183
 unknown Japan 45684 MIRAINETKyoceraCommunicationSystemsCoLtdJP false
20.72.80.124
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
209.162.185.253
 unknown United States
17184 ATL-CBEYONDUS false
196.193.127.123
 unknown South Africa
23889 MauritiusTelecomMU false
181.82.187.128
 unknown Argentina
7303 TelecomArgentinaSAAR false
186.174.227.156
 unknown Chile
3816 COLOMBIATELECOMUNICACIONESSAESPCO false
121.123.189.104
 unknown Malaysia
9534 MAXIS-AS1-APBinariangBerhadMY false
90.96.151.55
 unknown France
28708 ORANGEFR-PORTAL-ASDSImutualizedinternetaccessFR false
202.213.203.204
 unknown Japan 2527 SO-NETSo-netEntertainmentCorporationJP false
129.27.47.135
 unknown Austria
1113 TUGNETTechnischeUniversitaetGrazAT false
137.157.61.137
 unknown Australia
45128 ANSTO-AS-APAustralianNuclearScienceandTechnologyOrgani false
129.174.174.190
 unknown United States
11279 GEORGE-MASON-UNIVUS false
73.171.96.92
 unknown United States
7922 COMCAST-7922US false
201.108.144.208
 unknown Mexico
8151 UninetSAdeCVMX false
143.195.87.215
 unknown United States
397112 ILLINOIS-MATH-SCIENCEUS false
122.25.119.169
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
119.171.179.223
 unknown Japan 9824 JTCL-JP-ASJupiterTelecommunicationCoLtdJP false
187.218.204.190
 unknown Mexico
8151 UninetSAdeCVMX false
122.33.51.115
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
188.238.215.167
 unknown Finland
1759 TSF-IP-CORETeliaFinlandOyjEU false
79.36.64.48
 unknown Italy
3269 ASN-IBSNAZIT false
147.157.121.222
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
133.235.143.138
 unknown Japan 7682 HOTNETHOKKAIDOTELECOMMUNICATIONSNETWORKCoIncJP false
107.127.201.195
 unknown United States
7018 ATT-INTERNET4US false
82.141.152.35
 unknown Hungary
12301 INVITECHHU false
189.95.170.173
 unknown Brazil
22085 ClaroSABR false
44.32.85.14
 unknown United States
7377 UCSDUS false
99.105.160.64
 unknown United States
7018 ATT-INTERNET4US false
177.183.159.176
 unknown Brazil
28573 CLAROSABR false
14.85.23.115
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
190.115.215.160
 unknown unknown
52260 TelecommunicationsdeHaitiTelecoHT false
128.97.218.171
 unknown United States
52 UCLAUS false
15.122.139.11
 unknown United States
13979 ATT-IPFRUS false
70.78.68.106
 unknown Canada
6327 SHAWCA false
78.137.148.31
 unknown Ireland
31122 DIGIWEB-ASIE false
189.252.239.247
 unknown Mexico
8151 UninetSAdeCVMX false
86.188.154.218
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
105.207.173.237
 unknown Egypt
36992 ETISALAT-MISREG false
100.89.13.123
 unknown Reserved
701 UUNETUS false
199.92.209.136
 unknown United States
3356 LEVEL3US false
184.49.107.56
 unknown United States
14654 WAYPORTUS false
96.66.17.160
 unknown United States
7922 COMCAST-7922US false
137.44.80.144
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
110.173.56.111
 unknown Hong Kong
45753 NETSEC-HKNETSECHK false
142.163.111.170
 unknown Canada
855 CANET-ASN-4CA false
220.251.237.223
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
184.146.75.64
 unknown Canada
577 BACOMCA false
160.53.170.97
 unknown Switzerland
21449 ETATGECH false
139.127.180.109
 unknown United States
30703 SHSC-1-ASUS false
58.89.75.61
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
216.170.159.205
 unknown United States
4181 TDS-ASUS false
133.58.158.103
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
183.160.55.166
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
181.131.251.248
 unknown Colombia
13489 EPMTelecomunicacionesSAESPCO false
240.197.225.209
 unknown Reserved
unknown unknown false
90.140.117.69
 unknown Sweden
1257 TELE2EU false
143.193.170.122
 unknown United States
7448 CHOICE-HOTELSUS false
210.108.128.216
 unknown Korea Republic of
10064 SANGNOK-AS-KRGEPSCheonanSagnokresortKR false
98.106.24.81
 unknown United States
6167 CELLCO-PARTUS false
90.111.59.118
 unknown France
3215 FranceTelecom-OrangeFR false
54.89.27.48
 unknown United States
14618 AMAZON-AESUS false
217.217.217.217
 unknown Spain
12357 COMUNITELSPAINES false
190.83.200.127
 unknown Trinidad and Tobago
27665 ColumbusCommunicationsTrinidadLimitedTT false
189.238.117.146
 unknown Mexico
8151 UninetSAdeCVMX false
215.177.106.95
 unknown United States
721 DNIC-ASBLK-00721-00726US false
117.148.134.120
 unknown China
56041 CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC false
110.161.42.71
 unknown Japan 9605 DOCOMONTTDOCOMOINCJP false
72.124.132.176
 unknown United States
22394 CELLCOUS false
158.64.139.142
 unknown Luxembourg
2602 RESTENAReseauTeleinformatiquedelEducationNationaleLU false
172.110.119.88
 unknown United States
7296 ALCHEMYNETUS false
205.175.195.165
 unknown United States
3715 THEBOE-3715US false
219.208.132.242
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
163.66.75.140
 unknown France
17816 CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi false
157.202.202.218
 unknown United States
1759 TSF-IP-CORETeliaFinlandOyjEU false
152.119.82.121
 unknown United States
2576 DOT-ASUS false
178.131.154.222
 unknown Iran (ISLAMIC Republic Of)
50810 MOBINNET-ASAS47823belongstoArvanCloudCDNthatismobinn false
148.199.80.109
 unknown United States
31382 KAPSCH-ASAT false
126.80.69.115
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
218.172.161.207
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false