Linux Analysis Report
botnet.arm7.elf

Overview

General Information

Sample name: botnet.arm7.elf
Analysis ID: 1565968
MD5: b1067ba67e0742a6f0479fa2e8d12e3c
SHA1: aa492c0ed0023b72f09e695bfbe03d491a8b6d13
SHA256: 2b2e2db5d45cdc8e1d99935200909180435499dd2749882ed66fa75f4b8caa35
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: botnet.arm7.elf Virustotal: Detection: 36% Perma Link
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: botnet.arm7.elf String found in binary or memory: http://upx.sf.net
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Source: classification engine Classification label: mal52.evad.linELF@0/0@2/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
ELF contains segments with high entropy indicating compressed/encrypted content
Source: botnet.arm7.elf Submission file: segment LOAD with 7.9758 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/botnet.arm7.elf (PID: 5598) Queries kernel information via 'uname': Jump to behavior
Source: botnet.arm7.elf, 5598.1.00007ffc6ece5000.00007ffc6ed06000.rw-.sdmp Binary or memory string: %x86_64/usr/bin/qemu-arm/tmp/botnet.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/botnet.arm7.elf
Source: botnet.arm7.elf, 5598.1.0000560343da1000.0000560343ecf000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: botnet.arm7.elf, 5598.1.00007ffc6ece5000.00007ffc6ed06000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: botnet.arm7.elf, 5598.1.0000560343da1000.0000560343ecf000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/arm
Source: botnet.arm7.elf, 5598.1.00007ffc6ece5000.00007ffc6ed06000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
windows-stand
No contacted IP infos

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true