Linux Analysis Report
lIIKVQc5cj.elf

ID:	1446369
Product:	CloudBasic
Start time:	10:52:07
Start date:	23.05.2024
Sample:	lIIKVQc5cj.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	236c1ab0f391bf4252c53162d687314b
SHA1:	14adde96ea132e53522639e109461c1f342e0b1b
SHA256:	d99f6f44ac80bd81e6fe2bb0327d53e37e8415593ee3935676a149a8765893d9
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: lIIKVQc5cj.elf	ReversingLabs: Detection: 47%
Source: lIIKVQc5cj.elf	Virustotal: Detection: 39%			Perma Link

Compliance

Source: unknown

HTTPS traffic detected: 34.254.182.186:443 -> 192.168.2.14:59320 version: TLS 1.2

Networking

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: unknown	Network traffic detected: HTTP traffic on port 46540 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59320
Source: unknown	Network traffic detected: HTTP traffic on port 59320 -> 443

Source: unknown

HTTPS traffic detected: 34.254.182.186:443 -> 192.168.2.14:59320 version: TLS 1.2

System Summary

Source: lIIKVQc5cj.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5482.1.00007f42d8017000.00007f42d8020000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: lIIKVQc5cj.elf PID: 5482, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: lIIKVQc5cj.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5482.1.00007f42d8017000.00007f42d8020000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: lIIKVQc5cj.elf PID: 5482, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal56.linELF@0/0@2/0

Persistence and Installation Behavior

Source: /usr/bin/dash (PID: 5494)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.NFTAlYjTat /tmp/tmp.CawU0L4Sll /tmp/tmp.ZbPifuRcZD			Jump to behavior
Source: /usr/bin/dash (PID: 5503)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.NFTAlYjTat /tmp/tmp.CawU0L4Sll /tmp/tmp.ZbPifuRcZD			Jump to behavior

Malware Analysis System Evasion

Source: /tmp/lIIKVQc5cj.elf (PID: 5482)

Queries kernel information via 'uname':

Jump to behavior

Source: lIIKVQc5cj.elf, 5482.1.00007ffc2c9a2000.00007ffc2c9c3000.rw-.sdmp	Binary or memory string: qemu: %s: %s
Source: lIIKVQc5cj.elf, 5482.1.00007ffc2c9a2000.00007ffc2c9c3000.rw-.sdmp	Binary or memory string: leqemu: %s: %s
Source: lIIKVQc5cj.elf, 5482.1.0000560c3eea9000.0000560c3efd7000.rw-.sdmp	Binary or memory string: Vrg.qemu.gdb.arm.sys.regs">
Source: lIIKVQc5cj.elf, 5482.1.0000560c3eea9000.0000560c3efd7000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: lIIKVQc5cj.elf, 5482.1.00007ffc2c9a2000.00007ffc2c9c3000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: lIIKVQc5cj.elf, 5482.1.0000560c3eea9000.0000560c3efd7000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: lIIKVQc5cj.elf, 5482.1.00007ffc2c9a2000.00007ffc2c9c3000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/lIIKVQc5cj.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/lIIKVQc5cj.elf
Source: lIIKVQc5cj.elf, 5482.1.0000560c3eea9000.0000560c3efd7000.rw-.sdmp	Binary or memory string: rg.qemu.gdb.arm.sys.regs">