Linux Analysis Report
6uBxa0vGQt.elf

Overview

General Information

Sample name:	6uBxa0vGQt.elf renamed because original name is a hash value
Original sample name:	89d7a012a98e1de5e86cb807ade07871.elf
Analysis ID:	1446360
MD5:	89d7a012a98e1de5e86cb807ade07871
SHA1:	7e04f6fb28fa65081e973eb82eb5992d9b873c07
SHA256:	3e7b120b4b5ec4cee241e8a2e662d04e469c4fd302fe6b8e826e0a1d90e13fc7
Tags:	32elfgafgytsparc
Infos:

Detection

Gafgyt

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Gafgyt

Opens /proc/net/* files useful for finding connected devices and routers

Sample and/or dropped files contains symbols with suspicious names

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Signatures

AV Detection

Found malware configuration

Source: 6uBxa0vGQt.elf

Malware Configuration Extractor: Gafgyt {"C2 url": "91.92.240.85:23"}

Multi AV Scanner detection for submitted file

Source: 6uBxa0vGQt.elf	ReversingLabs: Detection: 65%
Source: 6uBxa0vGQt.elf	Virustotal: Detection: 57%			Perma Link

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/6uBxa0vGQt.elf (PID: 5436)

Opens: /proc/net/route

Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2840333 ETPRO TROJAN ELF/BASHLITE Variant CnC Activity 192.168.2.13:37796 -> 91.92.240.85:23

Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.240.85
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.240.85
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.240.85
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.240.85
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.240.85
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.2.2.2
Source: unknown	TCP traffic detected without corresponding DNS query: 3.3.3.3
Source: unknown	TCP traffic detected without corresponding DNS query: 6.6.6.6
Source: unknown	TCP traffic detected without corresponding DNS query: 4.4.4.4
Source: unknown	TCP traffic detected without corresponding DNS query: 5.5.5.5
Source: unknown	TCP traffic detected without corresponding DNS query: 7.7.7.7
Source: unknown	TCP traffic detected without corresponding DNS query: 11.11.11.11
Source: unknown	TCP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	TCP traffic detected without corresponding DNS query: 12.12.12.12
Source: unknown	TCP traffic detected without corresponding DNS query: 13.13.13.13
Source: unknown	TCP traffic detected without corresponding DNS query: 14.14.14.14
Source: unknown	TCP traffic detected without corresponding DNS query: 16.16.16.16
Source: unknown	TCP traffic detected without corresponding DNS query: 15.15.15.15
Source: unknown	TCP traffic detected without corresponding DNS query: 17.17.17.17
Source: unknown	TCP traffic detected without corresponding DNS query: 18.18.18.18
Source: unknown	TCP traffic detected without corresponding DNS query: 19.19.19.19
Source: unknown	TCP traffic detected without corresponding DNS query: 20.20.20.20
Source: unknown	TCP traffic detected without corresponding DNS query: 21.21.21.21
Source: unknown	TCP traffic detected without corresponding DNS query: 22.22.22.22
Source: unknown	TCP traffic detected without corresponding DNS query: 23.23.23.23
Source: unknown	TCP traffic detected without corresponding DNS query: 24.24.24.24
Source: unknown	TCP traffic detected without corresponding DNS query: 25.25.25.25
Source: unknown	TCP traffic detected without corresponding DNS query: 26.26.26.26
Source: unknown	TCP traffic detected without corresponding DNS query: 27.27.27.27
Source: unknown	TCP traffic detected without corresponding DNS query: 28.28.28.28
Source: unknown	TCP traffic detected without corresponding DNS query: 29.29.29.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.31.31.31
Source: unknown	TCP traffic detected without corresponding DNS query: 30.30.30.30
Source: unknown	TCP traffic detected without corresponding DNS query: 32.32.32.32
Source: unknown	TCP traffic detected without corresponding DNS query: 33.33.33.33
Source: unknown	TCP traffic detected without corresponding DNS query: 34.34.34.34
Source: unknown	TCP traffic detected without corresponding DNS query: 35.35.35.35
Source: unknown	TCP traffic detected without corresponding DNS query: 36.36.36.36
Source: unknown	TCP traffic detected without corresponding DNS query: 37.37.37.37
Source: unknown	TCP traffic detected without corresponding DNS query: 38.38.38.38
Source: unknown	TCP traffic detected without corresponding DNS query: 39.39.39.39
Source: unknown	TCP traffic detected without corresponding DNS query: 41.41.41.41
Source: unknown	TCP traffic detected without corresponding DNS query: 42.42.42.42
Source: unknown	TCP traffic detected without corresponding DNS query: 40.40.40.40
Source: unknown	TCP traffic detected without corresponding DNS query: 43.43.43.43
Source: unknown	TCP traffic detected without corresponding DNS query: 44.44.44.44
Source: unknown	TCP traffic detected without corresponding DNS query: 45.45.45.45
Source: unknown	TCP traffic detected without corresponding DNS query: 46.46.46.46
Source: unknown	TCP traffic detected without corresponding DNS query: 47.47.47.47

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: 6uBxa0vGQt.elf

String found in binary or memory: http://91.92.240.85/bins.sh;

System Summary

Malicious sample detected (through community Yara rule)

Source: 6uBxa0vGQt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_fb14e81f Author: unknown
Source: 5438.1.00007fc2a8011000.00007fc2a802a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_fb14e81f Author: unknown
Source: 5436.1.00007fc2a8011000.00007fc2a802a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_fb14e81f Author: unknown

Sample and/or dropped files contains symbols with suspicious names

Source: 6uBxa0vGQt.elf	ELF static info symbol of initial sample: passwords
Source: 6uBxa0vGQt.elf	ELF static info symbol of initial sample: usernames

Yara signature match

Source: 6uBxa0vGQt.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_fb14e81f severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 0fd07e6068a721774716eb4940e2c19faef02d5bdacf3b018bf5995fa98a3a27, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 12b430108256bd0f57f48b9dbbea12eba7405c0b3b66a1c4b882647051f1ec52, id = fb14e81f-be2a-4428-9877-958e394a7ae2, last_modified = 2022-01-26
Source: 5438.1.00007fc2a8011000.00007fc2a802a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_fb14e81f severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 0fd07e6068a721774716eb4940e2c19faef02d5bdacf3b018bf5995fa98a3a27, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 12b430108256bd0f57f48b9dbbea12eba7405c0b3b66a1c4b882647051f1ec52, id = fb14e81f-be2a-4428-9877-958e394a7ae2, last_modified = 2022-01-26
Source: 5436.1.00007fc2a8011000.00007fc2a802a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_fb14e81f severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 0fd07e6068a721774716eb4940e2c19faef02d5bdacf3b018bf5995fa98a3a27, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 12b430108256bd0f57f48b9dbbea12eba7405c0b3b66a1c4b882647051f1ec52, id = fb14e81f-be2a-4428-9877-958e394a7ae2, last_modified = 2022-01-26

Source: classification engine

Classification label: mal84.spre.troj.linELF@0/1@2/0

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/6uBxa0vGQt.elf (PID: 5436)

Queries kernel information via 'uname':

Jump to behavior

Source: 6uBxa0vGQt.elf, 5436.1.000055be0be43000.000055be0bea8000.rw-.sdmp, 6uBxa0vGQt.elf, 5438.1.000055be0be43000.000055be0bea8000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: 6uBxa0vGQt.elf, 5436.1.00007fffb2f3e000.00007fffb2f5f000.rw-.sdmp, 6uBxa0vGQt.elf, 5438.1.00007fffb2f3e000.00007fffb2f5f000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/6uBxa0vGQt.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/6uBxa0vGQt.elf
Source: 6uBxa0vGQt.elf, 5436.1.000055be0be43000.000055be0bea8000.rw-.sdmp, 6uBxa0vGQt.elf, 5438.1.000055be0be43000.000055be0bea8000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: 6uBxa0vGQt.elf, 5436.1.00007fffb2f3e000.00007fffb2f5f000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.9bvMbe\TI
Source: 6uBxa0vGQt.elf, 5436.1.00007fffb2f3e000.00007fffb2f5f000.rw-.sdmp, 6uBxa0vGQt.elf, 5438.1.00007fffb2f3e000.00007fffb2f5f000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc
Source: 6uBxa0vGQt.elf, 5436.1.00007fffb2f3e000.00007fffb2f5f000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.9bvMbe

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match

File source: 6uBxa0vGQt.elf, type: SAMPLE

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match

File source: 6uBxa0vGQt.elf, type: SAMPLE

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.109.109.109	unknown	Netherlands	30925	SPEEDXS-ASNL	false
205.93.164.94	unknown	United States	3475	DNIC-AS-03475US	false
162.173.134.149	unknown	United States	21928	T-MOBILE-AS21928US	false
125.141.168.188	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
174.148.140.143	unknown	United States	10507	SPCSUS	false
222.110.181.111	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
217.228.189.204	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
181.127.106.233	unknown	Paraguay	23201	TelecelSAPY	false
240.167.138.200	unknown	Reserved	unknown	unknown	false
110.126.153.173	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
115.77.79.83	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
110.110.110.110	unknown	China	38341	CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN	false
137.105.180.97	unknown	United Kingdom	3128	BRUWS-AS3128US	false
85.35.134.14	unknown	Italy	3269	ASN-IBSNAZIT	false
153.162.119.146	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
72.72.72.72	unknown	United States	701	UUNETUS	false
151.63.65.126	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
158.158.158.158	unknown	Singapore	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
90.82.169.181	unknown	France	3215	FranceTelecom-OrangeFR	false
210.139.187.184	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
183.183.183.183	unknown	Japan	45684	MIRAINETKyoceraCommunicationSystemsCoLtdJP	false
95.71.108.36	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
186.197.158.173	unknown	Brazil	26615	TIMSABR	false
102.114.195.128	unknown	Mauritius	23889	MauritiusTelecomMU	false
45.151.37.82	unknown	Netherlands	12695	DINET-ASRU	false
242.149.123.242	unknown	Reserved	unknown	unknown	false
177.104.75.137	unknown	Brazil	28258	PowerlineInternetBR	false
213.181.218.192	unknown	Hungary	47169	HPC-MVM-ASHU	false
84.76.163.175	unknown	Spain	12479	UNI2-ASES	false
175.142.72.193	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
214.213.211.228	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
133.190.114.251	unknown	Japan	4729	JAEAJapanAtomicEnergyAgencyJP	false
152.144.231.243	unknown	United States	6400	CompaniaDominicanadeTelefonosSADO	false
76.149.211.100	unknown	United States	7922	COMCAST-7922US	false
139.171.81.108	unknown	United States	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
117.190.252.141	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
215.189.219.205	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
186.185.183.200	unknown	Venezuela	6306	TELEFONICAVENEZOLANACAVE	false
68.42.72.58	unknown	United States	7922	COMCAST-7922US	false
99.44.123.86	unknown	United States	7018	ATT-INTERNET4US	false
137.148.109.124	unknown	United States	32818	CSUOHIO-ASUS	false
47.39.126.138	unknown	United States	20115	CHARTER-20115US	false
186.249.207.191	unknown	Brazil	28192	GlobalwaveTelecomBR	false
140.93.137.98	unknown	France	1715	FR-REMIP2000REMIP2000AutonomousSystemEU	false
14.87.149.38	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
116.179.137.121	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
180.130.229.109	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
40.146.32.77	unknown	United States	4249	LILLY-ASUS	false
189.157.232.149	unknown	Mexico	8151	UninetSAdeCVMX	false
218.206.152.226	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
211.222.183.198	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
62.125.199.110	unknown	United Kingdom	702	UUNETUS	false
122.128.49.65	unknown	Korea Republic of	17608	ABN-AS-KRABNKR	false
223.255.165.192	unknown	Hong Kong	9381	HKBNES-AS-APHKBNEnterpriseSolutionsHKLimitedHK	false
81.49.124.41	unknown	France	3215	FranceTelecom-OrangeFR	false
201.130.178.175	unknown	Mexico	8151	UninetSAdeCVMX	false
33.90.14.151	unknown	United States	2686	ATGS-MMD-ASUS	false
202.211.168.195	unknown	Japan	4725	ODNSoftBankMobileCorpJP	false
217.217.217.217	unknown	Spain	12357	COMUNITELSPAINES	false
208.229.165.227	unknown	United States	4208	THE-ISERV-COMPANYUS	false
200.167.97.218	unknown	Brazil	4230	CLAROSABR	false
253.147.203.178	unknown	Reserved	unknown	unknown	false
112.88.125.53	unknown	China	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
168.144.181.109	unknown	Canada	27435	OPSOURCE-INCUS	false
157.110.154.115	unknown	Japan	37910	CUNETChubuUniversityJP	false
165.171.92.108	unknown	United States	5647	ASN-KODAKUS	false
152.81.129.126	unknown	France	782	FR-LORIAASfortheLaboratoireenrechercheinformatique	false
90.153.227.138	unknown	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	false
111.56.135.98	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
129.102.191.77	unknown	France	2200	FR-RENATERReseauNationaldetelecommunicationspourlaTec	false
159.127.164.138	unknown	United States	40088	WESTLAKE-CHEMICAL-CORPORATIONUS	false
174.179.119.165	unknown	United States	7922	COMCAST-7922US	false
79.142.100.84	unknown	Russian Federation	44670	TVIGORU	false
146.120.150.136	unknown	Czech Republic	42772	A1-BY-ASBY	false
82.74.161.173	unknown	Netherlands	33915	TNF-ASNL	false
154.166.247.180	unknown	Ghana	30986	SCANCOMGH	false
192.224.134.161	unknown	United States	1659	ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC	false
154.122.159.133	unknown	Kenya	12455	JAMBONETKE	false
63.169.55.100	unknown	United States	1239	SPRINTLINKUS	false
216.110.166.141	unknown	United States	3064	AFFINITY-FTLUS	false
147.179.89.116	unknown	United States	12257	EMC-AS12257US	false
74.50.87.15	unknown	United States	19318	IS-AS-1US	false
137.82.161.124	unknown	Canada	393249	UBCCA	false
55.118.76.60	unknown	United States	361	DNIC-ASBLK-00306-00371US	false
175.104.152.149	unknown	Japan	10013	FBDCFreeBitCoLtdJP	false
51.13.15.19	unknown	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
58.121.195.106	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
168.95.66.128	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
125.99.91.94	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	false
128.149.85.147	unknown	United States	127	JPL-AS127US	false
187.154.84.205	unknown	Mexico	8151	UninetSAdeCVMX	false
185.135.234.114	unknown	Russian Federation	203387	ASTLXRU	false
141.157.184.204	unknown	United States	701	UUNETUS	false
177.123.102.229	unknown	Brazil	26615	TIMSABR	false
206.135.183.180	unknown	United States	18566	MEGAPATH5-US	false
86.143.67.204	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
220.173.217.178	unknown	China	134419	CHINATELECOM-GUANGXI-BEIHAI-MANBeihaiCN	false
122.68.47.174	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
174.148.178.164	unknown	United States	10507	SPCSUS	false
60.133.195.84	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.25	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
91.92.240.85:23	true	Avira URL Cloud: safe	unknown

ID:	1446360
Product:	CloudBasic
Start time:	10:41:10
Start date:	23.05.2024
Sample:	6uBxa0vGQt.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	89d7a012a98e1de5e86cb807ade07871
SHA1:	7e04f6fb28fa65081e973eb82eb5992d9b873c07
SHA256:	3e7b120b4b5ec4cee241e8a2e662d04e469c4fd302fe6b8e826e0a1d90e13fc7
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report 6uBxa0vGQt.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Spreading

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report
6uBxa0vGQt.elf

Malware Threat Intel
Provided by