Linux Analysis Report
[cpu]

Overview

General Information

Sample Name: [cpu]
Analysis ID: 635364
MD5: 85f4d82e56d3f216724c475b4b4cc17e
SHA1: 8430f832533bc71db049b7160fbdc62c9e1e7f0d
SHA256: c381706c96b8c6e5e9ddf8e86400a2bc16a94401c25388d5edb459b686971f5c
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Opens /proc/net/* files useful for finding connected devices and routers
Sample contains symbols with suspicious names
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: [cpu] Avira: detected
Multi AV Scanner detection for submitted file
Source: [cpu] Virustotal: Detection: 59% Perma Link
Source: [cpu] ReversingLabs: Detection: 72%

Spreading
barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/[cpu] (PID: 6221) Opens: /proc/net/route Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2840333 ETPRO TROJAN ELF/BASHLITE Variant CnC Activity 192.168.2.23:57822 -> 45.95.55.12:23
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 45.95.55.12
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 2.2.2.2
Source: unknown TCP traffic detected without corresponding DNS query: 3.3.3.3
Source: unknown TCP traffic detected without corresponding DNS query: 4.4.4.4
Source: unknown TCP traffic detected without corresponding DNS query: 5.5.5.5
Source: unknown TCP traffic detected without corresponding DNS query: 6.6.6.6
Source: unknown TCP traffic detected without corresponding DNS query: 7.7.7.7
Source: unknown TCP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown TCP traffic detected without corresponding DNS query: 11.11.11.11
Source: unknown TCP traffic detected without corresponding DNS query: 12.12.12.12
Source: unknown TCP traffic detected without corresponding DNS query: 13.13.13.13
Source: unknown TCP traffic detected without corresponding DNS query: 14.14.14.14
Source: unknown TCP traffic detected without corresponding DNS query: 15.15.15.15
Source: unknown TCP traffic detected without corresponding DNS query: 16.16.16.16
Source: unknown TCP traffic detected without corresponding DNS query: 17.17.17.17
Source: unknown TCP traffic detected without corresponding DNS query: 18.18.18.18
Source: unknown TCP traffic detected without corresponding DNS query: 20.20.20.20
Source: unknown TCP traffic detected without corresponding DNS query: 21.21.21.21
Source: unknown TCP traffic detected without corresponding DNS query: 22.22.22.22
Source: unknown TCP traffic detected without corresponding DNS query: 19.19.19.19
Source: unknown TCP traffic detected without corresponding DNS query: 23.23.23.23
Source: unknown TCP traffic detected without corresponding DNS query: 24.24.24.24
Source: unknown TCP traffic detected without corresponding DNS query: 25.25.25.25
Source: unknown TCP traffic detected without corresponding DNS query: 26.26.26.26
Source: unknown TCP traffic detected without corresponding DNS query: 27.27.27.27
Source: unknown TCP traffic detected without corresponding DNS query: 28.28.28.28
Source: unknown TCP traffic detected without corresponding DNS query: 29.29.29.29
Source: unknown TCP traffic detected without corresponding DNS query: 30.30.30.30
Source: unknown TCP traffic detected without corresponding DNS query: 31.31.31.31
Source: unknown TCP traffic detected without corresponding DNS query: 32.32.32.32
Source: unknown TCP traffic detected without corresponding DNS query: 33.33.33.33
Source: unknown TCP traffic detected without corresponding DNS query: 34.34.34.34
Source: unknown TCP traffic detected without corresponding DNS query: 35.35.35.35
Source: unknown TCP traffic detected without corresponding DNS query: 36.36.36.36
Source: unknown TCP traffic detected without corresponding DNS query: 37.37.37.37
Source: unknown TCP traffic detected without corresponding DNS query: 38.38.38.38
Source: unknown TCP traffic detected without corresponding DNS query: 39.39.39.39
Source: unknown TCP traffic detected without corresponding DNS query: 40.40.40.40
Source: unknown TCP traffic detected without corresponding DNS query: 41.41.41.41
Source: unknown TCP traffic detected without corresponding DNS query: 42.42.42.42
Source: unknown TCP traffic detected without corresponding DNS query: 43.43.43.43
Source: unknown TCP traffic detected without corresponding DNS query: 44.44.44.44
Source: unknown TCP traffic detected without corresponding DNS query: 45.45.45.45
Source: unknown TCP traffic detected without corresponding DNS query: 46.46.46.46
Source: unknown TCP traffic detected without corresponding DNS query: 47.47.47.47
Source: [cpu] String found in binary or memory: http://45.95.55.12/bins.sh;
Sample contains symbols with suspicious names
Source: ELF static info symbol of initial sample Name: passwords
Source: ELF static info symbol of initial sample Name: usernames
Source: classification engine Classification label: mal68.spre.lin@0/0@0/0
Source: ELF static info symbol of initial sample FILE: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: ELF static info symbol of initial sample FILE: libc/string/arm/_memcpy.S
Source: ELF static info symbol of initial sample FILE: libc/string/arm/memcpy.S
Source: ELF static info symbol of initial sample FILE: libc/string/arm/memset.S
Source: ELF static info symbol of initial sample FILE: libc/string/arm/strcmp.S
Source: ELF static info symbol of initial sample FILE: libc/string/arm/strlen.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/crt1.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/crti.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/crtn.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/sigrestorer.S
Source: ELF static info symbol of initial sample FILE: libc/sysdeps/linux/arm/vfork.S
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/[cpu] (PID: 6221) Queries kernel information via 'uname': Jump to behavior
Source: [cpu], 6221.1.000000002780e27b.00000000eb9246d2.rw-.sdmp, [cpu], 6225.1.000000002780e27b.00000000eb9246d2.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: [cpu], 6221.1.00000000a9359164.00000000cc808b5f.rw-.sdmp, [cpu], 6225.1.00000000a9359164.00000000cc808b5f.rw-.sdmp Binary or memory string: 7x86_64/usr/bin/qemu-arm/tmp/[cpu]SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/[cpu]
Source: [cpu], 6221.1.000000002780e27b.00000000eb9246d2.rw-.sdmp, [cpu], 6225.1.000000002780e27b.00000000eb9246d2.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: [cpu], 6221.1.00000000a9359164.00000000cc808b5f.rw-.sdmp, [cpu], 6225.1.00000000a9359164.00000000cc808b5f.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
200.108.193.169
 unknown Uruguay
20255 TecnowindSAUY false
213.173.138.197
 unknown Finland
1759 TSF-IP-CORETeliaFinlandOyjEU false
177.188.94.123
 unknown Brazil
27699 TELEFONICABRASILSABR false
187.208.161.182
 unknown Mexico
8151 UninetSAdeCVMX false
122.75.126.116
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
121.128.177.103
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
115.226.125.173
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
126.147.176.153
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
137.45.130.106
 unknown United States
13783 RADFORD-UNIV-ASUS false
57.168.67.115
 unknown Belgium
2686 ATGS-MMD-ASUS false
110.110.110.110
 unknown China
38341 CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN false
142.223.129.229
 unknown Canada
812 ROGERS-COMMUNICATIONSCA false
133.93.58.117
 unknown Japan 58647 KAGAWAU-ASKagawaUniversityJP false
179.89.229.220
 unknown Brazil
26599 TELEFONICABRASILSABR false
193.142.199.202
 unknown Italy
44939 SAILWEB-SRLIT false
137.91.38.142
 unknown United States
33350 APS---ARIZONA-PUBLIC-SERVICE-CORPORATIONUS false
191.116.170.122
 unknown Chile
27995 CLAROCHILESACL false
72.72.72.72
 unknown United States
701 UUNETUS false
161.109.116.97
 unknown United States
17327 TSTC-ASUS false
158.158.158.158
 unknown Singapore
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
143.51.136.112
 unknown Finland
16086 DNAFI false
87.165.103.103
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
116.153.195.115
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
68.149.55.155
 unknown Canada
6327 SHAWCA false
116.69.120.110
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
178.126.133.114
 unknown Belarus
6697 BELPAK-ASBELPAKBY false
183.183.183.183
 unknown Japan 45684 MIRAINETKyoceraCommunicationSystemsCoLtdJP false
182.142.107.166
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
120.175.153.209
 unknown Indonesia
4761 INDOSAT-INP-APINDOSATInternetNetworkProviderID false
133.82.139.142
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
131.73.187.71
 unknown United States
28075 ARLINKSAAR false
220.241.194.215
 unknown Hong Kong
4515 ERX-STARHKTLimitedHK false
129.123.43.116
 unknown United States
26046 USU-EDUUS false
152.73.59.174
 unknown Denmark
15687 AS15687DK false
117.82.103.50
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
155.75.34.135
 unknown United States
4010 DNIC-AS-04010US false
169.188.220.247
 unknown United States
37611 AfrihostZA false
188.109.95.210
 unknown Germany
3209 VODANETInternationalIP-BackboneofVodafoneDE false
168.84.103.130
 unknown United States
57717 FBX-ASNL false
48.121.148.77
 unknown United States
2686 ATGS-MMD-ASUS false
109.164.142.198
 unknown Switzerland
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
108.84.166.127
 unknown United States
7018 ATT-INTERNET4US false
166.194.111.149
 unknown United States
20057 ATT-MOBILITY-LLC-AS20057US false
40.77.119.39
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
101.38.51.150
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
164.185.138.159
 unknown United States
37717 EL-KhawarizmiTN false
196.233.113.222
 unknown Tunisia
37492 ORANGE-TN false
161.103.181.79
 unknown United States
7582 UMAC-AS-APUniversityofMacauMO false
174.90.109.136
 unknown Canada
577 BACOMCA false
192.224.134.189
 unknown United States
1659 ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC false
184.77.135.103
 unknown United States
16509 AMAZON-02US false
140.251.150.198
 unknown United States
395139 NYP-INTERNETUS false
129.89.84.149
 unknown United States
7050 UW-MILWAUKEE-AS1US false
201.173.217.80
 unknown Mexico
11888 TelevisionInternacionalSAdeCVMX false
99.180.86.186
 unknown United States
7018 ATT-INTERNET4US false
197.238.244.219
 unknown unknown
37705 TOPNETTN false
154.175.204.181
 unknown Ghana
30986 SCANCOMGH false
167.132.153.100
 unknown United States
10405 UPRR-ASN-01US false
129.32.111.130
 unknown United States
3778 TEMPLEUS false
48.109.61.88
 unknown United States
2686 ATGS-MMD-ASUS false
131.67.91.174
 unknown United States
138 DNIC-AS-00138US false
46.83.125.45
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
177.108.172.91
 unknown Brazil
26615 TIMSABR false
145.174.126.54
 unknown Netherlands
59524 KPN-IAASNL false
70.175.147.69
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
242.195.246.236
 unknown Reserved
unknown unknown false
159.208.243.147
 unknown Canada
131090 CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATT false
198.232.124.120
 unknown United States
1828 UNITASUS false
114.134.118.118
 unknown Japan 4721 JCNJupiterTelecommunicationsCoLtdJP false
168.185.122.253
 unknown United States
2386 INS-ASUS false
83.102.134.161
 unknown Russian Federation
3216 SOVAM-ASRU false
22.100.38.38
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
152.124.170.114
 unknown United States
29992 VA-TMP-COREUS false
77.195.178.66
 unknown France
15557 LDCOMNETFR false
104.132.49.87
 unknown United States
36384 GOOGLE-ITUS false
80.198.181.69
 unknown Denmark
3292 TDCTDCASDK false
107.118.24.53
 unknown United States
20057 ATT-MOBILITY-LLC-AS20057US false
162.111.168.171
 unknown United States
13325 STOMIUS false
217.217.217.217
 unknown Spain
12357 COMUNITELSPAINES false
96.45.102.105
 unknown United States
19635 SANDHILL-ASUS false
111.52.84.156
 unknown China
56042 CMNET-SHANXI-APChinaMobilecommunicationscorporationCN false
160.80.39.140
 unknown Italy
137 ASGARRConsortiumGARREU false
168.141.84.84
 unknown United States
53585 NYSIFUS false
116.50.89.104
 unknown India
38529 RELIANCE-RIL-AS-APRelianceIndustriesLimitedWANBackbone false
153.197.191.94
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
183.137.84.188
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
219.150.214.133
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
158.100.178.76
 unknown United States
1226 CTA-42-AS1226US false
72.153.59.159
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
201.188.254.129
 unknown Chile
16629 CTCCORPSATELEFONICAEMPRESASCL false
209.157.164.145
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
99.51.93.157
 unknown United States
26306 THE-KARCHER-GROUPUS false
161.97.121.204
 unknown United States
51167 CONTABODE false
77.100.68.196
 unknown United Kingdom
5089 NTLGB false
93.121.218.212
 unknown France
21351 CANALPLUSTELECOMFR false
192.53.138.193
 unknown United States
553 BELWUEBelWue-KoordinationEU false
192.123.187.106
 unknown United States
393825 BOZZ-275-CTUS false
84.157.184.113
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
150.122.168.112
 unknown China
4152 USDA-1US false
36.154.137.25
 unknown China
56046 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN false