Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf

Overview

General Information

Sample name: SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf
Analysis ID: 1545788
MD5: fe7569278ec332de619002b9d8408d15
SHA1: 1d6779b85825c8f0cd8117efddc5e6595b6c86c4
SHA256: c3d275f06dceee587b6c1b4ef14bfa4b21f0d5a006aed705292f5a219e32679c
Tags: elf
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf ReversingLabs: Detection: 39%
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf String found in binary or memory: http://upx.sf.net
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Source: classification engine Classification label: mal52.evad.linELF@0/0@2/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
ELF contains segments with high entropy indicating compressed/encrypted content
Source: SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf Submission file: segment LOAD with 7.947 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf (PID: 5423) Queries kernel information via 'uname': Jump to behavior
Source: SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf, 5423.1.000055d96b66f000.000055d96b6f6000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf, 5423.1.000055d96b66f000.000055d96b6f6000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf, 5423.1.00007ffcc01c6000.00007ffcc01e7000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf
Source: SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf, 5423.1.00007ffcc01c6000.00007ffcc01e7000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: SecuriteInfo.com.Linux.Siggen.9999.3560.30702.elf, 5423.1.00007ffcc01c6000.00007ffcc01e7000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
windows-stand
No contacted IP infos

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true