Linux Analysis Report
RpcSecurity.mpsl.elf

ID:	1581163
Product:	CloudBasic
Start time:	06:40:26
Start date:	27.12.2024
Sample:	RpcSecurity.mpsl.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	909e68d7f9baf5b2c79023ca027aa132
SHA1:	1a17caa726700e04242251f101298bf209c54c18
SHA256:	8ad68a6dd76f0ca58d1651343916807370fabc294394c12cb4209d5cdb7dc259
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: RpcSecurity.mpsl.elf

Avira: detected

Source: RpcSecurity.mpsl.elf	Virustotal: Detection: 63%			Perma Link
Source: RpcSecurity.mpsl.elf	ReversingLabs: Detection: 63%

Networking

Source: /tmp/RpcSecurity.mpsl.elf (PID: 5502)

Socket: 192.168.2.14:9473

Jump to behavior

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Source: RpcSecurity.mpsl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5502.1.00007fd4c0400000.00007fd4c0413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: RpcSecurity.mpsl.elf PID: 5502, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: RpcSecurity.mpsl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5502.1.00007fd4c0400000.00007fd4c0413000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: RpcSecurity.mpsl.elf PID: 5502, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal64.linELF@0/0@2/0

Malware Analysis System Evasion

Source: /tmp/RpcSecurity.mpsl.elf (PID: 5502)

Queries kernel information via 'uname':

Jump to behavior

Source: RpcSecurity.mpsl.elf, 5502.1.00005605b4984000.00005605b4a0b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: RpcSecurity.mpsl.elf, 5502.1.00005605b4984000.00005605b4a0b000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/mipsel
Source: RpcSecurity.mpsl.elf, 5502.1.00007ffe327b3000.00007ffe327d4000.rw-.sdmp	Binary or memory string: gx86_64/usr/bin/qemu-mipsel/tmp/RpcSecurity.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/RpcSecurity.mpsl.elf
Source: RpcSecurity.mpsl.elf, 5502.1.00007ffe327b3000.00007ffe327d4000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: RpcSecurity.mpsl.elf, 5502.1.00007ffe327b3000.00007ffe327d4000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel