Linux Analysis Report
zmap.arm7.elf

ID:	1546744
Product:	CloudBasic
Start time:	15:09:30
Start date:	01.11.2024
Sample:	zmap.arm7.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	229acf7569130751dd54b01eb3804958
SHA1:	7885cfb3f6bb30be8c87ffc365527c31b5e86649
SHA256:	4a6596028c781e73e24157ca252361eaae4be9307ad98c34586880b48b7d9df8
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: zmap.arm7.elf

Avira: detected

Source: zmap.arm7.elf

ReversingLabs: Detection: 55%

Networking

Source: global traffic

TCP traffic: 192.168.2.14:47356 -> 154.216.16.38:59962

Source: /tmp/zmap.arm7.elf (PID: 5496)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26

Source: global traffic

DNS traffic detected: DNS query: server.dico-inside.com

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary

Source: zmap.arm7.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5501.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5496.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: zmap.arm7.elf PID: 5496, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: zmap.arm7.elf PID: 5501, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_handshake
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method_ipip
Source: ELF static info symbol of initial sample	Name: attack_method_openvpn2
Source: ELF static info symbol of initial sample	Name: attack_method_ovh
Source: ELF static info symbol of initial sample	Name: attack_parse
Source: ELF static info symbol of initial sample	Name: attack_socket

Source: zmap.arm7.elf

ELF static info symbol of initial sample: __gnu_unwind_execute

Source: zmap.arm7.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5501.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5496.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: zmap.arm7.elf PID: 5496, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: zmap.arm7.elf PID: 5501, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal88.troj.evad.linELF@0/0@4/0

Hooking and other Techniques for Hiding and Protection

Source: /tmp/zmap.arm7.elf (PID: 5496)

File: /tmp/zmap.arm7.elf

Jump to behavior

Malware Analysis System Evasion

Source: /tmp/zmap.arm7.elf (PID: 5496)

Queries kernel information via 'uname':

Jump to behavior

Source: zmap.arm7.elf, 5496.1.000055fafaf99000.000055fafb0ea000.rw-.sdmp, zmap.arm7.elf, 5501.1.000055fafaf99000.000055fafb0c7000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: zmap.arm7.elf, 5496.1.000055fafaf99000.000055fafb0ea000.rw-.sdmp, zmap.arm7.elf, 5501.1.000055fafaf99000.000055fafb0c7000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: zmap.arm7.elf, 5496.1.00007ffde457d000.00007ffde459e000.rw-.sdmp, zmap.arm7.elf, 5501.1.00007ffde457d000.00007ffde459e000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: zmap.arm7.elf, 5496.1.00007ffde457d000.00007ffde459e000.rw-.sdmp, zmap.arm7.elf, 5501.1.00007ffde457d000.00007ffde459e000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/zmap.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zmap.arm7.elf

Stealing of Sensitive Information

Source: Yara match	File source: zmap.arm7.elf, type: SAMPLE
Source: Yara match	File source: 5501.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5496.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.arm7.elf PID: 5496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.arm7.elf PID: 5501, type: MEMORYSTR

Source: Yara match	File source: zmap.arm7.elf, type: SAMPLE
Source: Yara match	File source: 5501.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5496.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.arm7.elf PID: 5496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.arm7.elf PID: 5501, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: zmap.arm7.elf, type: SAMPLE
Source: Yara match	File source: 5501.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5496.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.arm7.elf PID: 5496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.arm7.elf PID: 5501, type: MEMORYSTR

Source: Yara match	File source: zmap.arm7.elf, type: SAMPLE
Source: Yara match	File source: 5501.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5496.1.00007ff434017000.00007ff43402f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zmap.arm7.elf PID: 5496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zmap.arm7.elf PID: 5501, type: MEMORYSTR