Linux Analysis Report
linux_386.elf

Overview

General Information

Sample name:	linux_386.elf
Analysis ID:	1543426
MD5:	4b53bd2b79fc8f18d1a5e591358bcfb9
SHA1:	4cde3dce676fb3a040472458c807b945d8ffefd8
SHA256:	30523d9f0e7898f89538e2babd0e305b4e25b06521418e299e4e983c8597b558
Tags:	elfuser-abuse_ch
Infos:

Detection

Chaos

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Chaos

Drops files in suspicious directories

Machine Learning detection for sample

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using cron

Sample tries to set files in /etc globally writable

Uses known network protocols on non-standard ports

Creates hidden files and/or directories

Creates hidden files without content (potentially used as a mutex)

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "kill" or "pkill" command typically used to terminate processes

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Executes the "systemctl" command used for controlling the systemd system and service manager

Reads CPU information from /sys indicative of miner or evasive malware

Reads the 'hosts' file potentially containing internal network hosts

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Sleeps for long times indicative of sandbox evasion

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Writes shell script files to disk

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Chaos	Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.	No Attribution	https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html	https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: linux_386.elf

ReversingLabs: Detection: 55%

Machine Learning detection for sample

Source: linux_386.elf

Joe Sandbox ML: detected

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 6317)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6714)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 808 -> 53978
Source: unknown	Network traffic detected: HTTP traffic on port 53982 -> 808
Source: unknown	Network traffic detected: HTTP traffic on port 808 -> 53982

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:53978 -> 154.12.82.11:808

Reads the 'hosts' file potentially containing internal network hosts

Source: /tmp/linux_386.elf (PID: 6245)

Reads hosts file: /etc/hosts

Jump to behavior

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11

Source: global traffic

HTTP traffic detected: GET /password.txt HTTP/1.1Host: 154.12.82.11:808User-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: linux_386.elf	String found in binary or memory: http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qpadding bytes must all be zeros unless AllowIllegalWrites is enabledreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytestls: peer doesn't support the certificate custom signature algorithmsbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xgot %s for stream %d; expected CONTINUATION following %s for stream %dx509: PKCS#8 wrapping contained private key with unknown algorithm: %vx509: certificate relies on legacy Common Name field, use SANs insteadMozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)Sogou Pic Spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)dynamic table size update MUST occur at the beginning of a header blockssh: no common algorithm for %s; client offered: %v, server offered: %vtls: peer doesn't support any of the certificate's signature algorithmstoo many concurrent operations on a single file or socket (max 1048575)x509: issuer has name constraints but leaf doesn't have a SAN extensionMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)tls: server's certificate contains an unsupported type of public key: %Ttls: received unexpected handshake message of type %T when waiting for %T91289437fa036b34da55d57af6192768c27bd433fa012169d626d934e0051b24dd67dd3cf49d7cc827bc012d259d7ac226e70829239d7ac226e7082968de60d520eb433722c07fd236f6crypto/elliptic: internal error: Unmarshal rejected a valid point encodingmalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedtls: certificate RSA key size too small for supported signature algorithmsUnsolicited response received on idle HTTP channel starting with %q; err=%vtls: internal error: attempted to read record with pending application datatls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuite((2(5[0-5]\|[0-4]\d))\|[0-1]?\d{1,2})(\.((2(5[0-5]\|[0-4]\d))\|[0-1]?\d{1,2})){3}MapIter.Next called on an iterator that does not have an associated map Valuecrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: internal error: algorithmSignerWrapper invoked with non-default algorithmssh: unable to authenticate, attempted methods %v, no supported methods remainx509: signature check attempt
Source: linux_386.elf	String found in binary or memory: http: RoundTripper implementation (%T) returned a nil Response with a nil errortls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificaterefusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxyx509: a root or intermediate certificate is not authorized to sign for this name: (possibly because of %q while trying to verify candidate authority certificate %q)Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)x509: issuer has name constraints but leaf contains unknown or unconstrained name: tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodx509: failed to parse private key (use ParseECPrivateKey instead for this key format)Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: fxfzUc6gtMGc/i26ld3KydGKy1k7QqyMMyxjbU1Rlk+F9LQxnaTeCHGHsDUpaBeOWDeY6l+2kHlB7EWTLcGwfg==whv+Kf1cEtOXzr+zuvmef2as0WfbUDm8l2LMWBMel10NDnbShg9CsMUt327VJhOTbXLoPYJVTKy8MBPCVwoT8A==x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%qapplication/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,/;q=0.5tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is ed25519.PrivateKey, expected ed25519.PrivateKey3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromised1.0.3<<RMS>> equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: linux_386.elf	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)x509:
Source: linux_386.elf	String found in binary or memory: http://search.msn.com/msnbot.htm
Source: linux_386.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: linux_386.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
Source: linux_386.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)Mozilla/5.0
Source: linux_386.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)http2:
Source: linux_386.elf	String found in binary or memory: http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
Source: linux_386.elf	String found in binary or memory: http://www.google.com/mobile/adsbot.html)
Source: linux_386.elf	String found in binary or memory: http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
Source: linux_386.elf	String found in binary or memory: http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
Source: linux_386.elf	String found in binary or memory: http://www.youdao.com/help/webmaster/spider/;)reflect:
Source: linux_386.elf	String found in binary or memory: http://yandex.com/bots)http:
Source: linux_386.elf	String found in binary or memory: https://search.yahoo.com/search?p=illegal
Source: linux_386.elf	String found in binary or memory: https://www.baidu.com/s?wd=insufficient
Source: linux_386.elf	String found in binary or memory: https://www.so.com/s?q=index

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /usr/bin/pkill (PID: 6317)	SIGKILL sent: pid: 6250, result: successful
Source: /usr/bin/pkill (PID: 6714)	SIGKILL sent: pid: 6349, result: successful

Source: classification engine

Classification label: mal80.spre.troj.evad.linELF@0/17@2/0

Source: ELF file section

Submission: linux_386.elf

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/linux_386.elf (PID: 6245)

File: /etc/profile.d/bash_config.sh

Jump to behavior

Sample tries to persist itself using cron

Source: /usr/bin/bash (PID: 6399)

File: /etc/crontab

Sample tries to set files in /etc globally writable

Source: /tmp/linux_386.elf (PID: 6238)	File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6238)	File: /etc/32678 (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Creates hidden files and/or directories

Source: /tmp/linux_386.elf (PID: 6245)	File: /dev/.old	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /dev/.img	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /.img	Jump to behavior
Source: /etc/id.services.conf (PID: 6718)	File: /dev/.old
Source: /etc/id.services.conf (PID: 6718)	File: /dev/.img
Source: /boot/System.img.config (PID: 6348)	File: /dev/.old
Source: /boot/System.img.config (PID: 6348)	File: /dev/.img

Creates hidden files without content (potentially used as a mutex)

Source: /boot/System.img.config (PID: 6348)	Empty hidden file: /dev/.old
Source: /boot/System.img.config (PID: 6348)	Empty hidden file: /dev/.img

Enumerates processes within the "proc" file system

Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6592/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6592/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/linux_386.elf (PID: 6243)	Shell command executed: /bin/bash -c /etc/32678&	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6284)	Shell command executed: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"
Source: /tmp/linux_386.elf (PID: 6373)	Shell command executed: /bin/bash -c "cd /boot;ausearch -c 'System.img.conf' --raw \| audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp"
Source: /usr/sbin/cron (PID: 6674)	Shell command executed: /bin/sh -c "/.img "
Source: /usr/sbin/cron (PID: 6681)	Shell command executed: /bin/sh -c " [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi"

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /boot/System.img.config (PID: 6317)	Pkill executable: /usr/bin/pkill -> pkill -9 32678
Source: /etc/id.services.conf (PID: 6714)	Pkill executable: /usr/bin/pkill -> pkill -9 32678

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /usr/sbin/service (PID: 6244)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service	Jump to behavior
Source: /usr/sbin/service (PID: 6264)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 6267)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 6265)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6285)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6299)	Systemctl executable: /usr/bin/systemctl -> systemctl enable linux.service
Source: /bin/bash (PID: 6303)	Systemctl executable: /usr/bin/systemctl -> systemctl start linux.service
Source: /usr/sbin/service (PID: 6466)	Systemctl executable: /usr/bin/systemctl -> systemctl start cron.service
Source: /usr/sbin/service (PID: 6469)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6512)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /tmp/linux_386.elf (PID: 6592)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6716)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6729)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6731)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 6347)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6364)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6366)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket

Sample tries to set the executable flag

Source: /tmp/linux_386.elf (PID: 6238)	File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6238)	File: /etc/32678 (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /boot/System.img.config (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/lib/libdlrpcld.so (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/lib/system-monitor (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/ps (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/ss (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/ls (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/dir (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/netstat (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/find (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/lsof (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Writes shell script file to disk with an unusual file extension

Source: /tmp/linux_386.elf (PID: 6238)	Writes shell script file to disk with an unusual file extension: /etc/32678	Jump to dropped file
Source: /tmp/linux_386.elf (PID: 6245)	Writes shell script file to disk with an unusual file extension: /etc/init.d/linux_kill	Jump to dropped file
Source: /tmp/linux_386.elf (PID: 6245)	Writes shell script file to disk with an unusual file extension: /.img	Jump to dropped file
Source: /tmp/linux_386.elf (PID: 6245)	Writes shell script file to disk with an unusual file extension: /etc/init.d/ssh	Jump to dropped file

Writes shell script files to disk

Source: /tmp/linux_386.elf (PID: 6245)

Shell script file created: /etc/profile.d/bash_config.sh

Jump to dropped file

Source: /usr/sbin/service (PID: 6268)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p	Jump to behavior
Source: /usr/sbin/service (PID: 6513)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6732)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6367)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/linux_386.elf (PID: 6245)	File: /etc/init.d/linux_kill			Jump to dropped file
Source: /tmp/linux_386.elf (PID: 6245)	File: /etc/init.d/ssh			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 808 -> 53978
Source: unknown	Network traffic detected: HTTP traffic on port 53982 -> 808
Source: unknown	Network traffic detected: HTTP traffic on port 808 -> 53982

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Source: /etc/32678 (PID: 6263)	Sleep executable: /usr/bin/sleep -> sleep 60	Jump to behavior
Source: /etc/32678 (PID: 6362)	Sleep executable: /usr/bin/sleep -> sleep 60
Source: /etc/32678 (PID: 6727)	Sleep executable: /usr/bin/sleep -> sleep 60

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 6317)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6714)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Sleeps for long times indicative of sandbox evasion

Source: /usr/bin/sleep (PID: 6263)	Sleeps longer then 60s: 60.0s	Jump to behavior
Source: /usr/bin/sleep (PID: 6362)	Sleeps longer then 60s: 60.0s
Source: /usr/bin/sleep (PID: 6727)	Sleeps longer then 60s: 60.0s
Source: /usr/sbin/cron (PID: 6582)	Sleeps longer then 60s: 60.0s

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/linux_386.elf (PID: 6238)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 6243)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 6284)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6373)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 6399)	Queries kernel information via 'uname':

Stealing of Sensitive Information

Yara detected Chaos

Source: Yara match

File source: linux_386.elf, type: SAMPLE

Remote Access Functionality

Yara detected Chaos

Source: Yara match

File source: linux_386.elf, type: SAMPLE

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
154.12.82.11	unknown	United States	174	COGENT-174US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Contacted Domains

Name	IP	Active
www.google.com	142.250.184.228	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://154.12.82.11:808/password.txt	false		unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: linux_386.elf

ReversingLabs: Detection: 55%

Machine Learning detection for sample

Source: linux_386.elf

Joe Sandbox ML: detected

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 6317)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6714)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 808 -> 53978
Source: unknown	Network traffic detected: HTTP traffic on port 53982 -> 808
Source: unknown	Network traffic detected: HTTP traffic on port 808 -> 53982

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:53978 -> 154.12.82.11:808

Reads the 'hosts' file potentially containing internal network hosts

Source: /tmp/linux_386.elf (PID: 6245)

Reads hosts file: /etc/hosts

Jump to behavior

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11
Source: unknown	TCP traffic detected without corresponding DNS query: 154.12.82.11

Source: global traffic

HTTP traffic detected: GET /password.txt HTTP/1.1Host: 154.12.82.11:808User-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: linux_386.elf	String found in binary or memory: http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qpadding bytes must all be zeros unless AllowIllegalWrites is enabledreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytestls: peer doesn't support the certificate custom signature algorithmsbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xgot %s for stream %d; expected CONTINUATION following %s for stream %dx509: PKCS#8 wrapping contained private key with unknown algorithm: %vx509: certificate relies on legacy Common Name field, use SANs insteadMozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)Sogou Pic Spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)dynamic table size update MUST occur at the beginning of a header blockssh: no common algorithm for %s; client offered: %v, server offered: %vtls: peer doesn't support any of the certificate's signature algorithmstoo many concurrent operations on a single file or socket (max 1048575)x509: issuer has name constraints but leaf doesn't have a SAN extensionMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)tls: server's certificate contains an unsupported type of public key: %Ttls: received unexpected handshake message of type %T when waiting for %T91289437fa036b34da55d57af6192768c27bd433fa012169d626d934e0051b24dd67dd3cf49d7cc827bc012d259d7ac226e70829239d7ac226e7082968de60d520eb433722c07fd236f6crypto/elliptic: internal error: Unmarshal rejected a valid point encodingmalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedtls: certificate RSA key size too small for supported signature algorithmsUnsolicited response received on idle HTTP channel starting with %q; err=%vtls: internal error: attempted to read record with pending application datatls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuite((2(5[0-5]\|[0-4]\d))\|[0-1]?\d{1,2})(\.((2(5[0-5]\|[0-4]\d))\|[0-1]?\d{1,2})){3}MapIter.Next called on an iterator that does not have an associated map Valuecrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: internal error: algorithmSignerWrapper invoked with non-default algorithmssh: unable to authenticate, attempted methods %v, no supported methods remainx509: signature check attempt
Source: linux_386.elf	String found in binary or memory: http: RoundTripper implementation (%T) returned a nil Response with a nil errortls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificaterefusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxyx509: a root or intermediate certificate is not authorized to sign for this name: (possibly because of %q while trying to verify candidate authority certificate %q)Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)x509: issuer has name constraints but leaf contains unknown or unconstrained name: tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodx509: failed to parse private key (use ParseECPrivateKey instead for this key format)Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: fxfzUc6gtMGc/i26ld3KydGKy1k7QqyMMyxjbU1Rlk+F9LQxnaTeCHGHsDUpaBeOWDeY6l+2kHlB7EWTLcGwfg==whv+Kf1cEtOXzr+zuvmef2as0WfbUDm8l2LMWBMel10NDnbShg9CsMUt327VJhOTbXLoPYJVTKy8MBPCVwoT8A==x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%qapplication/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,/;q=0.5tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is ed25519.PrivateKey, expected ed25519.PrivateKey3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromised1.0.3<<RMS>> equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: linux_386.elf	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)x509:
Source: linux_386.elf	String found in binary or memory: http://search.msn.com/msnbot.htm
Source: linux_386.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: linux_386.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
Source: linux_386.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)Mozilla/5.0
Source: linux_386.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)http2:
Source: linux_386.elf	String found in binary or memory: http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
Source: linux_386.elf	String found in binary or memory: http://www.google.com/mobile/adsbot.html)
Source: linux_386.elf	String found in binary or memory: http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
Source: linux_386.elf	String found in binary or memory: http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
Source: linux_386.elf	String found in binary or memory: http://www.youdao.com/help/webmaster/spider/;)reflect:
Source: linux_386.elf	String found in binary or memory: http://yandex.com/bots)http:
Source: linux_386.elf	String found in binary or memory: https://search.yahoo.com/search?p=illegal
Source: linux_386.elf	String found in binary or memory: https://www.baidu.com/s?wd=insufficient
Source: linux_386.elf	String found in binary or memory: https://www.so.com/s?q=index

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /usr/bin/pkill (PID: 6317)	SIGKILL sent: pid: 6250, result: successful
Source: /usr/bin/pkill (PID: 6714)	SIGKILL sent: pid: 6349, result: successful

Source: classification engine

Classification label: mal80.spre.troj.evad.linELF@0/17@2/0

Source: ELF file section

Submission: linux_386.elf

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/linux_386.elf (PID: 6245)

File: /etc/profile.d/bash_config.sh

Jump to behavior

Sample tries to persist itself using cron

Source: /usr/bin/bash (PID: 6399)

File: /etc/crontab

Sample tries to set files in /etc globally writable

Source: /tmp/linux_386.elf (PID: 6238)	File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6238)	File: /etc/32678 (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Creates hidden files and/or directories

Source: /tmp/linux_386.elf (PID: 6245)	File: /dev/.old	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /dev/.img	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /.img	Jump to behavior
Source: /etc/id.services.conf (PID: 6718)	File: /dev/.old
Source: /etc/id.services.conf (PID: 6718)	File: /dev/.img
Source: /boot/System.img.config (PID: 6348)	File: /dev/.old
Source: /boot/System.img.config (PID: 6348)	File: /dev/.img

Creates hidden files without content (potentially used as a mutex)

Source: /boot/System.img.config (PID: 6348)	Empty hidden file: /dev/.old
Source: /boot/System.img.config (PID: 6348)	Empty hidden file: /dev/.img

Enumerates processes within the "proc" file system

Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6592/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6592/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/6354/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File opened: /proc/3088/stat	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/linux_386.elf (PID: 6243)	Shell command executed: /bin/bash -c /etc/32678&	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6284)	Shell command executed: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"
Source: /tmp/linux_386.elf (PID: 6373)	Shell command executed: /bin/bash -c "cd /boot;ausearch -c 'System.img.conf' --raw \| audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp"
Source: /usr/sbin/cron (PID: 6674)	Shell command executed: /bin/sh -c "/.img "
Source: /usr/sbin/cron (PID: 6681)	Shell command executed: /bin/sh -c " [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi"

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /boot/System.img.config (PID: 6317)	Pkill executable: /usr/bin/pkill -> pkill -9 32678
Source: /etc/id.services.conf (PID: 6714)	Pkill executable: /usr/bin/pkill -> pkill -9 32678

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /usr/sbin/service (PID: 6244)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service	Jump to behavior
Source: /usr/sbin/service (PID: 6264)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 6267)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 6265)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6285)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6299)	Systemctl executable: /usr/bin/systemctl -> systemctl enable linux.service
Source: /bin/bash (PID: 6303)	Systemctl executable: /usr/bin/systemctl -> systemctl start linux.service
Source: /usr/sbin/service (PID: 6466)	Systemctl executable: /usr/bin/systemctl -> systemctl start cron.service
Source: /usr/sbin/service (PID: 6469)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6512)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /tmp/linux_386.elf (PID: 6592)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6716)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6729)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6731)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 6347)	Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6364)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6366)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket

Sample tries to set the executable flag

Source: /tmp/linux_386.elf (PID: 6238)	File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6238)	File: /etc/32678 (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /boot/System.img.config (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/lib/libdlrpcld.so (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/lib/system-monitor (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/ps (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/ss (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/ls (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/dir (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/netstat (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/find (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	File: /usr/bin/lsof (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Writes shell script file to disk with an unusual file extension

Source: /tmp/linux_386.elf (PID: 6238)	Writes shell script file to disk with an unusual file extension: /etc/32678	Jump to dropped file
Source: /tmp/linux_386.elf (PID: 6245)	Writes shell script file to disk with an unusual file extension: /etc/init.d/linux_kill	Jump to dropped file
Source: /tmp/linux_386.elf (PID: 6245)	Writes shell script file to disk with an unusual file extension: /.img	Jump to dropped file
Source: /tmp/linux_386.elf (PID: 6245)	Writes shell script file to disk with an unusual file extension: /etc/init.d/ssh	Jump to dropped file

Writes shell script files to disk

Source: /tmp/linux_386.elf (PID: 6245)

Shell script file created: /etc/profile.d/bash_config.sh

Jump to dropped file

Source: /usr/sbin/service (PID: 6268)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p	Jump to behavior
Source: /usr/sbin/service (PID: 6513)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6732)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6367)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/linux_386.elf (PID: 6245)	File: /etc/init.d/linux_kill			Jump to dropped file
Source: /tmp/linux_386.elf (PID: 6245)	File: /etc/init.d/ssh			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 808 -> 53978
Source: unknown	Network traffic detected: HTTP traffic on port 53982 -> 808
Source: unknown	Network traffic detected: HTTP traffic on port 808 -> 53982

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Source: /etc/32678 (PID: 6263)	Sleep executable: /usr/bin/sleep -> sleep 60	Jump to behavior
Source: /etc/32678 (PID: 6362)	Sleep executable: /usr/bin/sleep -> sleep 60
Source: /etc/32678 (PID: 6727)	Sleep executable: /usr/bin/sleep -> sleep 60

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pkill (PID: 6317)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6714)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Sleeps for long times indicative of sandbox evasion

Source: /usr/bin/sleep (PID: 6263)	Sleeps longer then 60s: 60.0s	Jump to behavior
Source: /usr/bin/sleep (PID: 6362)	Sleeps longer then 60s: 60.0s
Source: /usr/bin/sleep (PID: 6727)	Sleeps longer then 60s: 60.0s
Source: /usr/sbin/cron (PID: 6582)	Sleeps longer then 60s: 60.0s

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/linux_386.elf (PID: 6238)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 6243)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/linux_386.elf (PID: 6245)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 6284)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6373)	Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 6399)	Queries kernel information via 'uname':

Stealing of Sensitive Information

Yara detected Chaos

Source: Yara match

File source: linux_386.elf, type: SAMPLE

Remote Access Functionality

Yara detected Chaos

Source: Yara match

File source: linux_386.elf, type: SAMPLE

ID:	1543426
Product:	CloudBasic
Start time:	20:37:06
Start date:	27.10.2024
Sample:	linux_386.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	4b53bd2b79fc8f18d1a5e591358bcfb9
SHA1:	4cde3dce676fb3a040472458c807b945d8ffefd8
SHA256:	30523d9f0e7898f89538e2babd0e305b4e25b06521418e299e4e983c8597b558
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/.img	a /bin/sh\n/usr/lib/libdlrpcld.so script, ASCII text executable, with no line terminators	D73D3376908EA075A939E3871AD0FABE	320FF65831247BA199515F1B94DF26CC8A3E5F76	EDBDABE30D8236A2C0A4EB89DFD597552130E4C1A4E93F8FE1568920442AD73A
/etc/32678	POSIX shell script, ASCII text executable	768EAF287796DA19E1CF5E0B2FB1B161	6A1CE2EE5CCC86D1F33806FEB14547B35290DF2A	1D22620DFB2A6715E5D745AED5CF841EDE0E75E1747F12B9B925A2D346BC7ECB
/etc/crontab	ASCII text	D38E3C32BA65827998A5C4EA922B3A9C	D20193ED8143D4B9D78CEF7DAF7D59764FA61B93	5588E10DD163E4B8068413D7768EAC82A13D9A15F42B6E1302744371327D23F0
/etc/init.d/linux_kill	POSIX shell script, ASCII text executable	3909975F7CC0D1121C1819B800069F31	3E68DE708C2E6C40FAB6794AFDEE3104E5590189	6876DAC71F13A068AFB863D257134275F2EDBA43B2ACAF4924FABF97C079070B
/etc/init.d/ssh	POSIX shell script, ASCII text executable	508355F283B1B75FCC556EC98D6ADF9D	27FC04383EB62D903131ACFA430FAE891F06A59B	F25DD90E39812B068BBF33F63F1B5FF45A5555CE6ECEFE7110188A378D201E08
/etc/profile.d/bash_config.sh	a /bin/sh\n/etc/profile.d/bash_config script, ASCII text executable, with no line terminators	CFB4E51061485FE91169381FBDC1538E	9A85B9B766A15B01737A41D680E4593B7A9BDE87	897F37267D0CEAA2FBDAA09847F5D08E6F8B01A0348A0D666264B0F10ACD0C90
/memfd:snapd-env-generator (deleted)	ASCII text	D86A1F5765F37989EB0EC3837AD13ECC	D749672A734D9DEAFD61DCA501C6929EC431B83E	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
/proc/6667/loginuid	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
/proc/6673/loginuid	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
/run/crond.pid	ASCII text	BBC07CD13ED8D917C6ADD252A7F95B99	37B9A61F1DA954649E82411E272343962FD4BB59	D655F920A095B2F2E4DADB986F165DF4F91475A551361D05F713B0B315588ECB
/tmp/#531563 (deleted)	ASCII text	F0FF1F84AA4225865074D448D0AFA741	494C08DD38BBCA03D81DDB3770279F73EA36B7A2	019E7FDF96FB5A5E5DBDE5F565996B62BE27945B32156AD91CA7894BBCE2E15C
/usr/lib/systemd/system/linux.service	ASCII text	D80CCC7CED99538F22336F2EC0249087	BE4DE9F604E065B53076A3D7BA702FE98C6B8746	0DC3E8552C3E6217E0DC7FD440C7BA4C9CD6E676CE2561E4F71949D2783AE968
/var/log/btmp	data	EA9B4868B1D2397012B872DF2855A4F5	1EB452E774E714F7DB74FF4D3E6AFBA1EA90CAF7	2F8377C8413F7B0858FCFEB3E8A93D0F27212DB58DE2247DDA74BFCB7ABC890C

Linux Analysis Report
linux_386.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report linux_386.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report
linux_386.elf

Malware Threat Intel
Provided by