Linux Analysis Report
sshd.elf

ID:	1544950
Product:	CloudBasic
Start time:	22:12:08
Start date:	29.10.2024
Sample:	sshd.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	6ee0f00a2b7666dfff2975977f5931f3
SHA1:	a69336d0f3c9b1f98231998d818c8dd87195eeac
SHA256:	f3284261954c3fad15161ebfb935d89c6894a8cc59749693d665ad5864aada87
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: sshd.elf

ReversingLabs: Detection: 21%

Networking

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: sshd.elf	ELF static info symbol of initial sample: freeaddrinfo
Source: sshd.elf	ELF static info symbol of initial sample: gai_strerror
Source: sshd.elf	ELF static info symbol of initial sample: getaddrinfo
Source: sshd.elf	ELF static info symbol of initial sample: getnameinfo

Source: sshd.elf	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: sshd.elf	String found in binary or memory: http://www.openssl.org/support/faq.htmlmd_rand.c

System Summary

Source: Initial sample	Potential command found: ssh server is locked, please try again %dmin after !!!
Source: Initial sample	Potential command found: X11 forwarding
Source: Initial sample	Potential command found: X11 forwarding disabled in user configuration file.
Source: Initial sample	Potential command found: X11 forwarding disabled in server configuration file.
Source: Initial sample	Potential command found: X11 display already set.
Source: Initial sample	Potential command found: X11 connection requested.
Source: Initial sample	Potential command found: X11 connection from %.200s port %d
Source: Initial sample	Potential command found: X11 connection rejected because of wrong authentication.
Source: Initial sample	Potential command found: X11 rejected %d i%d/o%d
Source: Initial sample	Potential command found: X11 closed %d i%d/o%d
Source: Initial sample	Potential command found: X11 inet listener
Source: Initial sample	Potential command found: X11 connection uses different authentication protocol.
Source: Initial sample	Potential command found: X11 auth data does not match fake data.
Source: Initial sample	Potential command found: X11 fake_data_len %d != saved_data_len %d

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@2/0

Malware Analysis System Evasion

Source: ELF symbol in initial sample

Symbol name: usleep

Source: /tmp/sshd.elf (PID: 5430)

Queries kernel information via 'uname':

Jump to behavior

Source: sshd.elf, 5430.1.00007fff74d18000.00007fff74d39000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/sshd.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sshd.elf
Source: sshd.elf, 5430.1.00007fff74d18000.00007fff74d39000.rw-.sdmp	Binary or memory string: qemu: %s: %s
Source: sshd.elf, 5430.1.00007fff74d18000.00007fff74d39000.rw-.sdmp	Binary or memory string: leqemu: %s: %s
Source: sshd.elf, 5430.1.0000562238c22000.0000562238d50000.rw-.sdmp	Binary or memory string: 8"V!/etc/qemu-binfmt/arm
Source: sshd.elf, 5430.1.0000562238c22000.0000562238d50000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: sshd.elf, 5430.1.00007fff74d18000.00007fff74d39000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: sshd.elf, 5430.1.0000562238c22000.0000562238d50000.rw-.sdmp	Binary or memory string: 8"Vrg.qemu.gdb.arm.sys.regs">
Source: sshd.elf, 5430.1.0000562238c22000.0000562238d50000.rw-.sdmp	Binary or memory string: rg.qemu.gdb.arm.sys.regs">