Linux Analysis Report
bjC3JpJnc9

Overview

General Information

Sample Name:	bjC3JpJnc9
Analysis ID:	680655
MD5:	a52f488cf3c6b6a99950e65c7b8d1221
SHA1:	721d21a1fbe6fa7f8e3f8bd080336348b837c1e7
SHA256:	1277da50206f90cd4c40097458c66def3f8f244b86db5173a1d403c73e3efe76
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

ELF contains segments with high entropy indicating compressed/encrypted content

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: bjC3JpJnc9	Virustotal: Detection: 22%			Perma Link
Source: bjC3JpJnc9	ReversingLabs: Detection: 30%

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 194.230.78.72
Source: unknown	TCP traffic detected without corresponding DNS query: 14.188.175.243
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: bjC3JpJnc9

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 6235.1.00007f79d4017000.00007f79d4026000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6235.1.00007f79d4017000.00007f79d4026000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: bjC3JpJnc9 PID: 6235, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Yara signature match

Source: 6235.1.00007f79d4017000.00007f79d4026000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6235.1.00007f79d4017000.00007f79d4026000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: bjC3JpJnc9 PID: 6235, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal68.troj.evad.lin@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

ELF contains segments with high entropy indicating compressed/encrypted content

Source: bjC3JpJnc9

Submission file: segment LOAD with 7.9267 entropy (max. 8.0)

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/bjC3JpJnc9 (PID: 6235)

Queries kernel information via 'uname':

Jump to behavior

Source: bjC3JpJnc9, 6235.1.000055a414ca6000.000055a414e74000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: bjC3JpJnc9, 6235.1.00007ffe64a11000.00007ffe64a32000.rw-.sdmp	Binary or memory string: zex86_64/usr/bin/qemu-arm/tmp/bjC3JpJnc9SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bjC3JpJnc9
Source: bjC3JpJnc9, 6235.1.000055a414ca6000.000055a414e74000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: bjC3JpJnc9, 6235.1.00007ffe64a11000.00007ffe64a32000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: 6235.1.00007f79d4017000.00007f79d4026000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: 6235.1.00007f79d4017000.00007f79d4026000.r-x.sdmp, type: MEMORY

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
14.188.175.243	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
194.230.78.72	unknown	Switzerland	6730	SUNRISECH	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

ID:	680655
Product:	CloudBasic
Start time:	23:32:01
Start date:	08.08.2022
Sample:	bjC3JpJnc9
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	a52f488cf3c6b6a99950e65c7b8d1221
SHA1:	721d21a1fbe6fa7f8e3f8bd080336348b837c1e7
SHA256:	1277da50206f90cd4c40097458c66def3f8f244b86db5173a1d403c73e3efe76
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
bjC3JpJnc9

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report bjC3JpJnc9

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
bjC3JpJnc9