Linux Analysis Report
vmpcow.elf

Overview

General Information

Sample name: vmpcow.elf
Analysis ID: 1545736
MD5: 5df62a68cab91f2fdf4f80667af4d9c3
SHA1: 82661c098f9f8b5f4233432a966186438b6411c8
SHA256: bad9bff0b3e11481a8874e368f3c0930937237b33bf9b8815a504b2efa858e82
Tags: elfuser-MDMCk10
Infos:

Detection

Masscan
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Masscan tool
Contains VNC / remote desktop functionality (version string found)
Sample contains only a LOAD segment without any section mappings
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: vmpcow.elf ReversingLabs: Detection: 13%

Networking
barindex
Yara detected Masscan tool
Source: Yara match File source: vmpcow.elf, type: SAMPLE
Source: vmpcow.elf String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: vmpcow.elf String found in binary or memory: www.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: vmpcow.elf String found in binary or memory: http://bit.ly/14GZzcT)
Source: vmpcow.elf String found in binary or memory: http://clients1.google.com/ocsp0
Source: vmpcow.elf String found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl0=
Source: vmpcow.elf String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: vmpcow.elf String found in binary or memory: http://failsafe.fp.yahoo.com/404.html
Source: vmpcow.elf String found in binary or memory: http://gtglobal-ocsp.geotrust.com0
Source: vmpcow.elf String found in binary or memory: http://nmap.org/svn/docs/nmap.xsl
Source: vmpcow.elf String found in binary or memory: http://nmap.org/svn/docs/nmap.xslCONF:
Source: vmpcow.elf String found in binary or memory: http://pki.google.com/GIAG2.crl0
Source: vmpcow.elf String found in binary or memory: http://pki.google.com/GIAG2.crt0
Source: vmpcow.elf String found in binary or memory: https://github.com/robertdavidgraham/
Source: vmpcow.elf String found in binary or memory: https://github.com/robertdavidgraham/masscan
Source: vmpcow.elf String found in binary or memory: https://github.com/robertdavidgraham/masscan)
Source: vmpcow.elf String found in binary or memory: https://github.com/robertdavidgraham/masscanCONF:
Source: vmpcow.elf String found in binary or memory: https://www.geotrust.com/resources/repository0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: vmpcow.elf, type: SAMPLE Matched rule: Linux_Hacktool_Portscan_a40c7ef0 Author: unknown
Source: vmpcow.elf, type: SAMPLE Matched rule: Linux_Hacktool_Portscan_e191222d Author: unknown
Source: vmpcow.elf, type: SAMPLE Matched rule: masscan is a performant port scanner, it produces results similar to nmap Author: @mimeframe
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: GET /version HTTP/1.1
Source: Initial sample Potential command found: GET / HTTP/1.0
Source: Initial sample Potential command found: GET / HTTP/1.1
Source: Initial sample Potential command found: GET / FOO
Source: Initial sample Potential command found: GET / XXXXXXXXXXXX
Source: Initial sample Potential command found: GET / HTTP/1.1
Source: Initial sample Potential command found: GET /foo.html
Source: Initial sample Potential command found: GET /foo.html HTTP/1.0
Source: Initial sample Potential command found: GET /longerthan HTTP/1.0
Source: Initial sample Potential command found: GET /foo.html HTTP/1.0
Source: Initial sample Potential command found: GET /foo.htmlGET /foo.html HTTP/1.0
Source: Initial sample Potential command found: arp does not encapsulate another protocol
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: vmpcow.elf, type: SAMPLE Matched rule: Linux_Hacktool_Portscan_a40c7ef0 reference_sample = c389c42bac5d4261dbca50c848f22c701df4c9a2c5877dc01e2eaa81300bdc29, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Portscan, fingerprint = bf686c3c313936a144265cbf75850c8aee3af3ae36cb571050c7fceed385451d, id = a40c7ef0-627c-4965-b4d3-b05b79586170, last_modified = 2021-09-16
Source: vmpcow.elf, type: SAMPLE Matched rule: Linux_Hacktool_Portscan_e191222d reference_sample = e2f4313538c3ef23adbfc50f37451c318bfd1ffd0e5aaa346cce4cc37417f812, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Portscan, fingerprint = 5580dd8b9180b8ff36c7d08a134b1b3782b41054d8b29b23fc5a79e7b0059fd1, id = e191222d-633a-4408-9a54-a70bb9e89cc0, last_modified = 2021-09-16
Source: vmpcow.elf, type: SAMPLE Matched rule: hacktool_multi_masscan author = @mimeframe, description = masscan is a performant port scanner, it produces results similar to nmap, reference = https://github.com/robertdavidgraham/masscan
Source: classification engine Classification label: mal68.troj.linELF@0/0@0/0
Source: vmpcow.elf Binary or memory string: [hint] VMware on Macintosh doesn't support masscan
Source: vmpcow.elf Binary or memory string: VMware
Source: vmpcow.elf Binary or memory string: vmnet1
Source: vmpcow.elf Binary or memory string: subject[VMware ESX Server Default Certificate]
Source: vmpcow.elf Binary or memory string: icmperrcwr-ece-urg-ack-psh-rst-syn-fin-CompulabAaeonICPelecVMwareSeagateSynologyAsusD-LinkAppleAzurewaveOdroidRPi 22-11SupermicroCiscoUbiquiti[random]AmazonRPi 22-02HPRPi 20-07Cisco-LinksysRPi 19-12ZyxelTrolinkBelkinRPi 19-03RPi 12-03CeLinkNetgearParrotunknown status type: %u
Source: vmpcow.elf Binary or memory string: issuer[VMware Inc]
Source: vmpcow.elf Binary or memory string: ---------------nasend~~]issuer[iPECS]issuer[McAfeeissuer[webmin]issuer[Webmin subject[HP-IPG]issuer[LaCie SA]subject[OpenWrt]issuer[Puppet CAissuer[Kasperskysubject[Fortinet]issuer[ICC-FW CA]issuer[HIKVISION]subject[SHARP MX-issuer[GANDI SAS]subject[FortiGate]issuer[watchguard]issuer[VMware Inc]issuer[eBox Server]subject[WatchGuard]issuer[RapidSSL CA]issuer[AddTrust AB]issuer[Cisco SSCA2]subject[Cisco SSCA2]issuer[v] issuer[v]issuer[Register.com]issuer[Thawte, Inc.]issuer[thawte, Inc.]issuer[EQ-MT-RAPTOR]issuer[DigiCert Inc]issuer[TERENA SSL CA]issuer[WatchGuard CA]issuer[OpenVPN Web CAissuer[GeoTrust Inc.]issuer[TS Series NAS]subject[Polycom Inc.]issuer[Fortinet Ltd.]issuer[Synology Inc.]issuer[XX] issuer[XX]2Wire]Gateway Device]subject[DigiCert Inc]issuer[SamsungTechwin]issuer[TAIWAN-CA INC.]issuer[GeoTrust, Inc.]issuer[ValiCert, Inc.]issuer[Apache Friends]issuer[VeriSign, Inc.]issuer[Cybertrust Inc]subject[HiTRON SYSTEMS]issuer[SonicWALL, Inc.]issuer[Future Systems.]issuer[Polycom Root CA]issuer[AlphaSSL CA - G2]issuer[GlobalSign nv-sa]SonicWALL, Inc.]SSL-VPN]issuer[Comodo CA Limited]issuer[COMODO CA Limited]issuer[GoDaddy.com, Inc.]subject[Barracuda Networks]issuer[Equifax Secure Inc.]issuer[Gandi Standard SSL CA]issuer[The USERTRUST Network]subject[Polycom] subject[VSG]issuer[EuropeanSSL Server CA]issuer[SuSE Linux Web Server]issuer[CradlePoint Technology]SonicWALL]Secure Remote Access]subject[SomeOrganizationalUnit]issuer[Internet Widgits Pty Ltd]issuer[Network Solutions L.L.C.]issuer[The Go Daddy Group, Inc.]issuer[Nepenthes Development Team]issuer[WoSign Class 1 DV Server CA]issuer[Polycom Equipment Policy CA]issuer[Starfield Technologies, Inc.]issuer[Certum Certification Authority]subject[Fujitsu CELVIN(R) NAS Server]SonicWALL, Inc.]Secure Remote Access]issuer[Secure Digital Certificate Signing]issuer[Equifax Secure Certificate Authority]subject[VMware ESX Server Default Certificate]issuer[Cisco Systems] issuer[Cisco Manufacturing CA]truefalseoffline = %s
Source: vmpcow.elf Binary or memory string: %s: ftell failed (file system error? seen with VMware HGFS bug)
Source: vmpcow.elf Binary or memory string: if: datalinkvmnet1\Device\NPF_[-] if = not found (err=%d)

Remote Access Functionality
barindex
Contains VNC / remote desktop functionality (version string found)
Source: vmpcow.elf String found in binary or memory: RFB 000.000
Source: vmpcow.elf String found in binary or memory: RFB 003.003
Source: vmpcow.elf String found in binary or memory: RFB 003.005
Source: vmpcow.elf String found in binary or memory: RFB 003.006
Source: vmpcow.elf String found in binary or memory: RFB 003.007
Source: vmpcow.elf String found in binary or memory: RFB 003.008
Source: vmpcow.elf String found in binary or memory: RFB 003.889
Source: vmpcow.elf String found in binary or memory: RFB 003.009
Source: vmpcow.elf String found in binary or memory: RFB 004.000
Source: vmpcow.elf String found in binary or memory: RFB 004.001
Source: vmpcow.elf String found in binary or memory: RFB 004.002
windows-stand
No contacted IP infos