Linux Analysis Report
mips64.elf

Overview

General Information

Sample name: mips64.elf
Analysis ID: 1543412
MD5: f92b7b20b48a81aa2bcf36b8a778d367
SHA1: 9936b20da2ac3f749b97a93610f61a0a2865bc74
SHA256: 1cc6c44557fa4c098f525f26e84cfde30486924aa1090248affb42dc103b4aa4
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false

Signatures

Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Source: global traffic TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown Network traffic detected: HTTP traffic on port 46540 -> 443
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: clean1.linELF@0/0@0/0
Source: ELF file section Submission: mips64.elf
Source: /tmp/mips64.elf (PID: 5514) Queries kernel information via 'uname': Jump to behavior
Source: mips64.elf, 5514.1.00007ffec72c3000.00007ffec72e4000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips64
Source: mips64.elf, 5514.1.000055abd3284000.000055abd3805000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mips641RelativeDistinguishedName
Source: mips64.elf, 5514.1.00007ffec72c3000.00007ffec72e4000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips64/tmp/mips64.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips64.elf
Source: mips64.elf, 5514.1.000055abd3284000.000055abd3805000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips64
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs