Linux Analysis Report
zerarm.elf

Overview

General Information

Sample name: zerarm.elf
Analysis ID: 1543153
MD5: df8ac01308ab6015e8ab997165338246
SHA1: 14c6d9231087b174c621570e674bed0a7a681633
SHA256: 1dd6b91e5c01b531acda095c662f649638e1a03ec141213504b1193834e89345
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: zerarm.elf ReversingLabs: Detection: 50%

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 45.156.86.24 ports 38241,1,2,3,4,8
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: chinklabs.dyn. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: yellowchink.pirate. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: burnthe.libre. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: netfags.geek. [malformed]
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:49448 -> 45.156.86.24:38241
Sample listens on a socket
Source: /tmp/zerarm.elf (PID: 6263) Socket: 127.0.0.1:39148 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: global traffic DNS traffic detected: DNS query: yellowchink.pirate
Source: global traffic DNS traffic detected: DNS query: chinklabs.dyn. [malformed]
Source: global traffic DNS traffic detected: DNS query: yellowchink.pirate. [malformed]
Source: global traffic DNS traffic detected: DNS query: burnthe.libre. [malformed]
Source: global traffic DNS traffic detected: DNS query: netfags.geek. [malformed]
Source: global traffic DNS traffic detected: DNS query: burnthe.libre
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal56.troj.linELF@0/0@11/0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/zerarm.elf (PID: 6263) Queries kernel information via 'uname': Jump to behavior
Source: zerarm.elf, 6263.1.000055bc1dbbf000.000055bc1dced000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: zerarm.elf, 6263.1.000055bc1dbbf000.000055bc1dced000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: zerarm.elf, 6263.1.00007ffd65f35000.00007ffd65f56000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: zerarm.elf, 6263.1.00007ffd65f35000.00007ffd65f56000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/zerarm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerarm.elf

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false
45.156.86.24
 yellowchink.pirate Germany
44592 SKYLINKNL true

Contacted Domains

Name IP Active
yellowchink.pirate 45.156.86.24 true
burnthe.libre 45.156.86.24 true
chinklabs.dyn. [malformed] unknown unknown
burnthe.libre. [malformed] unknown unknown
netfags.geek. [malformed] unknown unknown
yellowchink.pirate. [malformed] unknown unknown