Linux Analysis Report
Aqua.mpsl.elf

Overview

General Information

Sample name: Aqua.mpsl.elf
Analysis ID: 1580698
MD5: 5d20f97f3ae82ea63acfc1978858c0de
SHA1: 7b239555f4b93a3f3beb27f40ff299084f70f591
SHA256: d8cef752d9320a055f89c6cfa1050b9bc5c636630c9ae4351333b4ae0bb6f7c3
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample has stripped symbol table
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Aqua.mpsl.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: Aqua.mpsl.elf Virustotal: Detection: 33% Perma Link
Source: Aqua.mpsl.elf ReversingLabs: Detection: 31%
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 45.148.10.84 replaycode: Name error (3)
Source: global traffic DNS traffic detected: DNS query: 45.148.10.84
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal60.evad.linELF@0/1@190/0

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/Aqua.mpsl.elf (PID: 5573) File: /tmp/Aqua.mpsl.elf Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/Aqua.mpsl.elf (PID: 5571) Queries kernel information via 'uname': Jump to behavior
Source: Aqua.mpsl.elf, 5571.1.00007ffe6deca000.00007ffe6deeb000.rw-.sdmp Binary or memory string: Lx86_64/usr/bin/qemu-mipsel/tmp/Aqua.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.mpsl.elf
Source: Aqua.mpsl.elf, 5571.1.00005635c3efb000.00005635c3f82000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: Aqua.mpsl.elf, 5571.1.00007ffe6deca000.00007ffe6deeb000.rw-.sdmp Binary or memory string: /tmp/qemu-open.hmgx7t
Source: Aqua.mpsl.elf, 5571.1.00007ffe6deca000.00007ffe6deeb000.rw-.sdmp Binary or memory string: /qemu-open.XXXXX
Source: Aqua.mpsl.elf, 5571.1.00005635c3efb000.00005635c3f82000.rw-.sdmp Binary or memory string: 5V!/etc/qemu-binfmt/mipsel
Source: Aqua.mpsl.elf, 5571.1.00007ffe6deca000.00007ffe6deeb000.rw-.sdmp Binary or memory string: 5V/tmp/qemu-open.hmgx7t\
Source: Aqua.mpsl.elf, 5571.1.00007ffe6deca000.00007ffe6deeb000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel
windows-stand
No contacted IP infos

Contacted Domains

Name IP Active
45.148.10.84 unknown unknown