Linux Analysis Report
tftp.elf

Overview

General Information

Sample name: tftp.elf
Analysis ID: 1544257
MD5: 46423fa406370c440548d5c485e0533a
SHA1: 88e69c243904bd86112ddc50ee2be549258f8fb6
SHA256: a6dfb29992ad42592e40c11c66a6389414919f145f3cabea21e91d9134463f53
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false

Signatures

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox_main
Source: Initial sample String containing 'busybox' found: _fini__uClibc_mainbb_applet_namerun_applet_by_namebb_error_msg_and_diebeen_there_done_thatstderrbb_msg_full_versionappletsfputsbb_strlenmemmovememsetusage_messagesstrcmpbsearchfind_applet_by_namebb_show_usagebusybox_maintest_maincat_mainchmod_mainchown_mainclear_maincp_maindate_maindf_maindu_mainecho_mainenv_mainfalse_mainhalt_mainhostname_mainifconfig_maininit_maininsmod_mainkill_mainln_mainls_mainlsmod_mainmesg_mainmkdir_mainmknod_mainmodprobe_mainmore_mainmsh_mainmv_mainnetstat_mainnslookup_mainping_mainpoweroff_mainps_mainpwd_mainreboot_mainreset_mainrm_mainrmdir_mainrmmod_mainstart_stop_daemon_mainstty_maintail_maintelnet_maintftp_maintop_maintouch_maintrue_mainumount_mainuname_mainuptime_mainwhoami_mainbb_getopt_ulflagsoptindbb_wfopen_inputfilenobb_copyfd_eofbb_fclose_nonstdinbb_parse_modechmodbb_perror_msgrecursive_actionlchownstrchrget_ug_idmy_getgrnammy_getpwnamlstatcp_mv_stat2cp_mv_statbb_get_last_path_componentconcat_path_filecopy_filefreebb_opt_complementalyputenvbb_perror_msg_and_dielocaltimememc
Source: classification engine Classification label: clean1.linELF@0/0@2/0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/tftp.elf (PID: 5431) Queries kernel information via 'uname': Jump to behavior
Source: tftp.elf, 5431.1.000055a3bb616000.000055a3bb67a000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mips
Source: tftp.elf, 5431.1.000055a3bb616000.000055a3bb67a000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: tftp.elf, 5431.1.00007ffc4da1b000.00007ffc4da3c000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: tftp.elf, 5431.1.00007ffc4da1b000.00007ffc4da3c000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/tftp.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tftp.elf

No Screenshots

No contacted IP infos

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true