Linux Analysis Report
udp.elf

Overview

General Information

Sample name: udp.elf
Analysis ID: 1565964
MD5: e69f86da2c209c5030a442a3f06036e2
SHA1: 649d16913f7ac128641b9a3846ab19ef5475be36
SHA256: 98ac80d42e3cc5c0f16e86c284cbb05f80337fbfad6e0ffb7004dc29fffc3648
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Executes the "rm" command used to delete files or directories
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: udp.elf Virustotal: Detection: 26% Perma Link
Machine Learning detection for sample
Source: udp.elf Joe Sandbox ML: detected
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 39256
Source: unknown Network traffic detected: HTTP traffic on port 39256 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: udp.elf, type: SAMPLE Matched rule: Linux_Hacktool_Flooder_e63396f4 Author: unknown
Source: 6262.1.00005649ccaea000.00005649ccaec000.r-x.sdmp, type: MEMORY Matched rule: Linux_Hacktool_Flooder_e63396f4 Author: unknown
Yara signature match
Source: udp.elf, type: SAMPLE Matched rule: Linux_Hacktool_Flooder_e63396f4 reference_sample = 913e6d2538bd7eed3a8f3d958cf445fe11c5c299a70e5385e0df6a9b2f638323, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = 269285d03ea1a3b41ff134ab2cf5e22502626c72401b83add6c1e165f4dd83f8, id = e63396f4-a297-4d99-b341-34cb22498078, last_modified = 2021-09-16
Source: 6262.1.00005649ccaea000.00005649ccaec000.r-x.sdmp, type: MEMORY Matched rule: Linux_Hacktool_Flooder_e63396f4 reference_sample = 913e6d2538bd7eed3a8f3d958cf445fe11c5c299a70e5385e0df6a9b2f638323, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = 269285d03ea1a3b41ff134ab2cf5e22502626c72401b83add6c1e165f4dd83f8, id = e63396f4-a297-4d99-b341-34cb22498078, last_modified = 2021-09-16
Source: classification engine Classification label: mal60.linELF@0/0@0/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6270) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.He5K7IV2y1 /tmp/tmp.URZoQsaV7E /tmp/tmp.A8VPLso2Bh Jump to behavior
Source: /usr/bin/dash (PID: 6271) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.He5K7IV2y1 /tmp/tmp.URZoQsaV7E /tmp/tmp.A8VPLso2Bh Jump to behavior
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.249.145.219
 unknown United States
16509 AMAZON-02US false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false