Linux Analysis Report
zone.i686.elf

Overview

General Information

Sample name: zone.i686.elf
Analysis ID: 1546573
MD5: 7c5af0d55f90e9090314da8046588691
SHA1: 72ee43da29549f382e7ce64167617a2eccb20a1f
SHA256: 6790fe9eca0f27c35c6419a31ab432566514e3272d9528fff959788716b04ca2
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 23
Range: 0 - 100
Whitelisted: false

Signatures

Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/uptime (PID: 6246) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: unknown TCP traffic detected without corresponding DNS query: 38.60.221.177
Source: zone.i686.elf String found in binary or memory: http://upx.sf.net
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8048000
Source: classification engine Classification label: sus23.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $
Executes commands using a shell command-line interpreter
Source: /tmp/zone.i686.elf (PID: 6246) Shell command executed: /bin/bash -c uptime Jump to behavior
Executes the "grep" command used to find patterns in files or piped streams
Source: /usr/bin/bash (PID: 6249) Grep executable: /usr/bin/grep -> grep ens160 Jump to behavior
Source: /usr/bin/bash (PID: 6253) Grep executable: /usr/bin/grep -> grep ens160 Jump to behavior
Source: /usr/bin/bash (PID: 6302) Grep executable: /usr/bin/grep -> grep ens160 Jump to behavior
Source: /usr/bin/bash (PID: 6306) Grep executable: /usr/bin/grep -> grep ens160 Jump to behavior
Source: /usr/bin/bash (PID: 6339) Grep executable: /usr/bin/grep -> grep ens160 Jump to behavior
Source: /usr/bin/bash (PID: 6343) Grep executable: /usr/bin/grep -> grep ens160 Jump to behavior
Reads system information from the proc file system
Source: /tmp/zone.i686.elf (PID: 6232) Reads from proc file: /proc/stat Jump to behavior
Source: /tmp/zone.i686.elf (PID: 6236) Reads from proc file: /proc/stat Jump to behavior
Source: /tmp/zone.i686.elf (PID: 6236) Reads from proc file: /proc/sys/net/core/somaxconn Jump to behavior
Source: /usr/bin/bash (PID: 6250) Awk executable: /usr/bin/awk -> awk "{print $2}" Jump to behavior
Source: /usr/bin/bash (PID: 6254) Awk executable: /usr/bin/awk -> awk "{print $10}" Jump to behavior
Source: /usr/bin/bash (PID: 6303) Awk executable: /usr/bin/awk -> awk "{print $2}" Jump to behavior
Source: /usr/bin/bash (PID: 6307) Awk executable: /usr/bin/awk -> awk "{print $10}" Jump to behavior
Source: /usr/bin/bash (PID: 6340) Awk executable: /usr/bin/awk -> awk "{print $2}" Jump to behavior
Source: /usr/bin/bash (PID: 6344) Awk executable: /usr/bin/awk -> awk "{print $10}" Jump to behavior
Source: submitted sample Stderr: 2024/11/01 00:08:04 timeout: 2m0s2024/11/01 00:08:04 [*] get job2024/11/01 00:08:04 timeout: 2m0s2024/11/01 00:08:04 timeout: 2m0s2024/11/01 00:08:05 timeout: 2m0s: exit code = 0
ELF contains segments with high entropy indicating compressed/encrypted content
Source: zone.i686.elf Submission file: segment LOAD with 7.8938 entropy (max. 8.0)
Source: zone.i686.elf Submission file: segment LOAD with 7.9999 entropy (max. 8.0)
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/uptime (PID: 6246) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /bin/bash (PID: 6246) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/bash (PID: 6247) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/bash (PID: 6251) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/bash (PID: 6300) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/bash (PID: 6304) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/bash (PID: 6337) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/bash (PID: 6341) Queries kernel information via 'uname': Jump to behavior

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
38.60.221.177
 unknown United States
174 COGENT-174US false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false