Linux Analysis Report
linux_amd64.elf

Overview

General Information

Sample name: linux_amd64.elf
Analysis ID: 1546466
MD5: 6d3f428719e3dc48f73dabe695677ce3
SHA1: 682a189b9e804ba0a12e6cb20593abe83d80b55e
SHA256: 32a02c701513fbf1bbfd9aa5671fcacd84a5d1f5ddde35b1ebb7f8b6babaa145
Tags: elfuser-abuse_ch
Infos:

Detection

Chaos
Score: 80
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Chaos
Drops files in suspicious directories
Machine Learning detection for sample
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to set files in /etc globally writable
Uses known network protocols on non-standard ports
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads CPU information from /sys indicative of miner or evasive malware
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Sleeps for long times indicative of sandbox evasion
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Writes shell script file to disk with an unusual file extension
Writes shell script files to disk

Classification

Name Description Attribution Blogpost URLs Link
Chaos Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: linux_amd64.elf ReversingLabs: Detection: 52%
Machine Learning detection for sample
Source: linux_amd64.elf Joe Sandbox ML: detected
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6313) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6708) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 42628 -> 8088
Source: unknown Network traffic detected: HTTP traffic on port 8088 -> 42628
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:34388 -> 149.88.76.121:808
Reads the 'hosts' file potentially containing internal network hosts
Source: /tmp/linux_amd64.elf (PID: 6247) Reads hosts file: /etc/hosts Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /password.txt HTTP/1.1Host: 149.88.76.121:8088User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: linux_amd64.elf String found in binary or memory: http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qpadding bytes must all be zeros unless AllowIllegalWrites is enabledreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytestls: peer doesn't support the certificate custom signature algorithmsbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xgot %s for stream %d; expected CONTINUATION following %s for stream %dx509: PKCS#8 wrapping contained private key with unknown algorithm: %vx509: certificate relies on legacy Common Name field, use SANs insteadMozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)Sogou Pic Spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)dynamic table size update MUST occur at the beginning of a header blockssh: no common algorithm for %s; client offered: %v, server offered: %vtls: peer doesn't support any of the certificate's signature algorithmstoo many concurrent operations on a single file or socket (max 1048575)x509: issuer has name constraints but leaf doesn't have a SAN extensionMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)tls: server's certificate contains an unsupported type of public key: %Ttls: received unexpected handshake message of type %T when waiting for %T91289437fa036b34da55d57af6192768c27bd433fa012169d626d934e0051b24dd67dd3cf49d7cc827bc012d259d7ac226e70829239d7ac226e7082968de60d520eb433722c07fd236f6crypto/elliptic: internal error: Unmarshal rejected a valid point encodingmalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedtls: certificate RSA key size too small for supported signature algorithmsUnsolicited response received on idle HTTP channel starting with %q; err=%vtls: internal error: attempted to read record with pending application datatls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuite((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}MapIter.Next called on an iterator that does not have an associated map Valuecrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: internal error: algorithmSignerWrapper invoked with non-default algorithmssh: unable to authenticate, attempted methods %v, no supported methods remainx509: signature check attempt
Source: linux_amd64.elf String found in binary or memory: http: RoundTripper implementation (%T) returned a nil *Response with a nil errortls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificaterefusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxyx509: a root or intermediate certificate is not authorized to sign for this name: (possibly because of %q while trying to verify candidate authority certificate %q)Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)x509: issuer has name constraints but leaf contains unknown or unconstrained name: tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodx509: failed to parse private key (use ParseECPrivateKey instead for this key format)Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: fxfzUc6gtMGc/i26ld3KydGKy1k7QqyMMyxjbU1Rlk+F9LQxnaTeCHGHsDUpaBeOWDeY6l+2kHlB7EWTLcGwfg==whv+Kf1cEtOXzr+zuvmef2as0WfbUDm8l2LMWBMel10NDnbShg9CsMUt327VJhOTbXLoPYJVTKy8MBPCVwoT8A==x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%qapplication/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromised1.0.3<<RMS>> equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: 78789.dns.army
Source: linux_amd64.elf String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)x509:
Source: linux_amd64.elf String found in binary or memory: http://search.msn.com/msnbot.htm
Source: linux_amd64.elf String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: linux_amd64.elf String found in binary or memory: http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
Source: linux_amd64.elf String found in binary or memory: http://www.baidu.com/search/spider.html)Mozilla/5.0
Source: linux_amd64.elf String found in binary or memory: http://www.baidu.com/search/spider.html)http2:
Source: linux_amd64.elf String found in binary or memory: http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
Source: linux_amd64.elf String found in binary or memory: http://www.google.com/mobile/adsbot.html)
Source: linux_amd64.elf String found in binary or memory: http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
Source: linux_amd64.elf String found in binary or memory: http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
Source: linux_amd64.elf String found in binary or memory: http://www.youdao.com/help/webmaster/spider/;)reflect:
Source: linux_amd64.elf String found in binary or memory: http://yandex.com/bots)http:
Source: linux_amd64.elf String found in binary or memory: https://search.yahoo.com/search?p=illegal
Source: linux_amd64.elf String found in binary or memory: https://www.baidu.com/s?wd=insufficient
Source: linux_amd64.elf String found in binary or memory: https://www.so.com/s?q=index
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /usr/bin/pkill (PID: 6313) SIGKILL sent: pid: 6248, result: successful
Source: /usr/bin/pkill (PID: 6708) SIGKILL sent: pid: 6332, result: successful
Source: classification engine Classification label: mal80.spre.troj.evad.linELF@0/18@4/0
Source: ELF file section Submission: linux_amd64.elf

Persistence and Installation Behavior
barindex
Sample tries to persist itself using /etc/profile
Source: /tmp/linux_amd64.elf (PID: 6247) File: /etc/profile.d/bash_config.sh Jump to behavior
Sample tries to persist itself using cron
Source: /usr/bin/bash (PID: 6358) File: /etc/crontab
Sample tries to set files in /etc globally writable
Source: /tmp/linux_amd64.elf (PID: 6241) File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6241) File: /etc/32678 (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Creates hidden files and/or directories
Source: /tmp/linux_amd64.elf (PID: 6247) File: /dev/.old Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /dev/.img Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /.img Jump to behavior
Source: /etc/id.services.conf (PID: 6712) File: /dev/.old
Source: /etc/id.services.conf (PID: 6712) File: /dev/.img
Source: /boot/System.img.config (PID: 6333) File: /dev/.old
Source: /boot/System.img.config (PID: 6333) File: /dev/.img
Creates hidden files without content (potentially used as a mutex)
Source: /boot/System.img.config (PID: 6333) Empty hidden file: /dev/.old
Source: /boot/System.img.config (PID: 6333) Empty hidden file: /dev/.img
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1582/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1582/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/3088/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/3088/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/230/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/230/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/110/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/110/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/231/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/231/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/111/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/111/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/232/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/232/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1579/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1579/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/112/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/112/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/233/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/233/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1699/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1699/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/113/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/113/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/234/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/234/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1335/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1335/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1698/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1698/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/114/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/114/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/235/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/235/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1334/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1334/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1576/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1576/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/2302/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/2302/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/115/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/115/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/236/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/236/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/116/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/116/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/237/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/237/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/117/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/117/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/118/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/118/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/910/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/910/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/6227/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/6227/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/119/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/119/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/6226/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/6226/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/912/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/912/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/2307/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/2307/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/918/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/918/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/6247/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/6247/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1594/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1594/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/120/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/120/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/121/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/121/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1349/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1349/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/122/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/122/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/243/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/243/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/123/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/123/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/2/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/2/cmdline
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/124/status
Source: /usr/bin/pkill (PID: 6313) File opened: /proc/124/cmdline
Executes commands using a shell command-line interpreter
Source: /tmp/linux_amd64.elf (PID: 6245) Shell command executed: /bin/bash -c /etc/32678& Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6275) Shell command executed: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"
Source: /tmp/linux_amd64.elf (PID: 6354) Shell command executed: /bin/bash -c "cd /boot;ausearch -c 'System.img.conf' --raw | audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp"
Source: /usr/sbin/cron (PID: 6672) Shell command executed: /bin/sh -c "/.img "
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /boot/System.img.config (PID: 6313) Pkill executable: /usr/bin/pkill -> pkill -9 32678
Source: /etc/id.services.conf (PID: 6708) Pkill executable: /usr/bin/pkill -> pkill -9 32678
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/service (PID: 6246) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service Jump to behavior
Source: /usr/sbin/service (PID: 6267) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 6270) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 6268) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6288) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6295) Systemctl executable: /usr/bin/systemctl -> systemctl enable linux.service
Source: /bin/bash (PID: 6304) Systemctl executable: /usr/bin/systemctl -> systemctl start linux.service
Source: /usr/sbin/service (PID: 6384) Systemctl executable: /usr/bin/systemctl -> systemctl start cron.service
Source: /usr/sbin/service (PID: 6387) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6400) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /tmp/linux_amd64.elf (PID: 6476) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6710) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6726) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6728) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 6331) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6350) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6352) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Sample tries to set the executable flag
Source: /tmp/linux_amd64.elf (PID: 6241) File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6241) File: /etc/32678 (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /boot/System.img.config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /usr/lib/libdlrpcld.so (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /usr/lib/system-monitor (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /usr/bin/ps (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /usr/bin/ss (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /usr/bin/ls (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /usr/bin/dir (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /usr/bin/netstat (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /usr/bin/find (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) File: /usr/bin/lsof (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes shell script file to disk with an unusual file extension
Source: /tmp/linux_amd64.elf (PID: 6241) Writes shell script file to disk with an unusual file extension: /etc/32678 Jump to dropped file
Source: /tmp/linux_amd64.elf (PID: 6247) Writes shell script file to disk with an unusual file extension: /etc/init.d/linux_kill Jump to dropped file
Source: /tmp/linux_amd64.elf (PID: 6247) Writes shell script file to disk with an unusual file extension: /.img Jump to dropped file
Source: /tmp/linux_amd64.elf (PID: 6247) Writes shell script file to disk with an unusual file extension: /etc/init.d/ssh Jump to dropped file
Writes shell script files to disk
Source: /tmp/linux_amd64.elf (PID: 6247) Shell script file created: /etc/profile.d/bash_config.sh Jump to dropped file
Source: /usr/sbin/service (PID: 6271) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 6401) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6729) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6353) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

Hooking and other Techniques for Hiding and Protection
barindex
Drops files in suspicious directories
Source: /tmp/linux_amd64.elf (PID: 6247) File: /etc/init.d/linux_kill Jump to dropped file
Source: /tmp/linux_amd64.elf (PID: 6247) File: /etc/init.d/ssh Jump to dropped file
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 42628 -> 8088
Source: unknown Network traffic detected: HTTP traffic on port 8088 -> 42628
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Source: /etc/32678 (PID: 6262) Sleep executable: /usr/bin/sleep -> sleep 60 Jump to behavior
Source: /etc/32678 (PID: 6348) Sleep executable: /usr/bin/sleep -> sleep 60
Source: /etc/32678 (PID: 6724) Sleep executable: /usr/bin/sleep -> sleep 60
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6313) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6708) Reads CPU info from /sys: /sys/devices/system/cpu/online
Sleeps for long times indicative of sandbox evasion
Source: /usr/bin/sleep (PID: 6262) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /usr/bin/sleep (PID: 6348) Sleeps longer then 60s: 60.0s
Source: /usr/bin/sleep (PID: 6724) Sleeps longer then 60s: 60.0s
Source: /usr/sbin/cron (PID: 6475) Sleeps longer then 60s: 60.0s
Source: /usr/sbin/cron (PID: 6689) Sleeps longer then 60s: 60.0s
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/linux_amd64.elf (PID: 6241) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 6245) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/linux_amd64.elf (PID: 6247) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 6275) Queries kernel information via 'uname':
Source: /bin/bash (PID: 6354) Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 6358) Queries kernel information via 'uname':

Stealing of Sensitive Information
barindex
Yara detected Chaos
Source: Yara match File source: linux_amd64.elf, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Chaos
Source: Yara match File source: linux_amd64.elf, type: SAMPLE

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
149.88.76.121
 78789.dns.army United States
188 SAIC-ASUS false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
78789.dns.army 149.88.76.121 true
www.google.com 142.250.181.228 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://149.88.76.121:8088/password.txt false
    		unknown