Linux Analysis Report
GbY7rLP11G.elf

ID:	1468067
Product:	CloudBasic
Start time:	09:53:05
Start date:	05.07.2024
Sample:	GbY7rLP11G.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	dea610cf2658555f03c4a87d3d554f4f
SHA1:	2197ba7d8f7c9db1f1ecac89233b5784152fdc89
SHA256:	77ec9c5279ecc1997e20079554d929f3b87e946933e542698f4516506c5b143a
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: GbY7rLP11G.elf

Virustotal: Detection: 19%

Perma Link

Networking

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: GbY7rLP11G.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: LOAD without section mappings

Program segment: 0x8000

Source: classification engine

Classification label: mal52.evad.linELF@0/0@0/0

Data Obfuscation

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Source: /usr/bin/dash (PID: 6202)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.6H7I0iaIFI /tmp/tmp.cvE0P4snFx /tmp/tmp.B7wEQI0wtu			Jump to behavior
Source: /usr/bin/dash (PID: 6203)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.6H7I0iaIFI /tmp/tmp.cvE0P4snFx /tmp/tmp.B7wEQI0wtu			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: GbY7rLP11G.elf

Submission file: segment LOAD with 7.937 entropy (max. 8.0)

Malware Analysis System Evasion

Source: /tmp/GbY7rLP11G.elf (PID: 6214)

Queries kernel information via 'uname':

Jump to behavior

Source: GbY7rLP11G.elf, 6214.1.000055738f20c000.000055738f33a000.rw-.sdmp	Binary or memory string: sU!/etc/qemu-binfmt/arm
Source: GbY7rLP11G.elf, 6214.1.000055738f20c000.000055738f33a000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: GbY7rLP11G.elf, 6214.1.00007ffeeff97000.00007ffeeffb8000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: GbY7rLP11G.elf, 6214.1.00007ffeeff97000.00007ffeeffb8000.rw-.sdmp	Binary or memory string: ]vx86_64/usr/bin/qemu-arm/tmp/GbY7rLP11G.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/GbY7rLP11G.elf
Source: GbY7rLP11G.elf, 6214.1.00007ffeeff97000.00007ffeeffb8000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped