Linux Analysis Report
efjepc.elf

Overview

General Information

Sample name: efjepc.elf
Analysis ID: 1649546
MD5: e142ebfafd66b5fba15d66f0e4778cd3
SHA1: 5c7d26fdddc5f72da721716a21a6880714214334
SHA256: 866c7b98e222ea729842bc96af910d280c4668e9f61acd3cdb1e25b8083f9acd
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 64
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
Deletes system log files
Manipulation of devices in /dev
Sample deletes itself
Sample tries to kill multiple processes (SIGKILL)
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: efjepc.elf Virustotal: Detection: 25% Perma Link
Source: efjepc.elf ReversingLabs: Detection: 22%
Source: unknown HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.13:37674 version: TLS 1.2
Found strings indicative of a multi-platform dropper
Source: efjepc.elf String: /lib/systemd//usr/lib/systemd/system/system/bin//gm/bin//home/process//home/helper/home/davinci/z/bin//mnt/mtd//tmp/sqfs//usr/libexec//usr/sbin//z/zbin//usr/bin/bin//tmp/var/mnt/root/boot/home/dev/media/opt/../(deleted)x86armmipsmpslsh4wgetcurllynxftpftpgettftpscpaflaaarsyncpfclamscanreadelfizsnapstracelsofgdbpmapltraceptracewiresharktsharktcpdumpnetstatssnmaphping3tracerouteiptablesnftfirewalldauditctlselinuxapparmoraptdnfyumzypperpacmanemergebrewportnanovimvinvimgeditkateemacspkillkillallkillsystemctlnohuppythonpython3perlrubyluanodebashshkshzshfishvolatilitychkrootkitrkhunterradare2binwalkdockerpodmanlxcqemuvirshvboxmanagemountumountdfdulsblkblkidmkfsfdiskpartedobjdumpstringsxxdhexdumpncnetcatsocatjournalctldmesglogcattaillessgrepawksedtmuxY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:51626 -> 141.98.10.142:2211
Source: global traffic DNS traffic detected: DNS query: raw.awaken-network.net
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 37674
Source: unknown Network traffic detected: HTTP traffic on port 37674 -> 443
Source: unknown HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.13:37674 version: TLS 1.2

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3104, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3161, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3162, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3163, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3164, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3165, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3170, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3182, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3208, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3212, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5437, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5438, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5439, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5440, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5441, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5442, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 780, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 1411, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 1563, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 1563, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 2936, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 2984, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3134, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3134, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3146, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3147, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3147, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3153, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3153, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3158, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3158, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3183, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3183, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3203, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3203, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3220, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3220, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5409, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5409, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5489, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3104, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3161, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3162, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3163, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3164, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3165, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3170, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3182, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3208, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3212, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5437, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5438, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5439, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5440, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5441, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5442, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 780, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 1411, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 1563, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 1563, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 2936, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 2984, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3134, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3134, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3146, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3147, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3147, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3153, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3153, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3158, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3158, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3183, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3183, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3203, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3203, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3220, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 3220, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5409, result: successful Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5409, result: no such process Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) SIGKILL sent: pid: 5489, result: successful Jump to behavior
Source: classification engine Classification label: mal64.spre.evad.linELF@0/4@2/0

Data Obfuscation
barindex
Manipulation of devices in /dev
Source: /tmp/efjepc.elf (PID: 5431) Deleted: /dev/kmsg Jump to behavior
Source: /tmp/efjepc.elf (PID: 5431) Deleted: /dev/null Jump to behavior
Creates hidden files and/or directories
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5437) Directory: /home/saturnino/.Xdefaults-galassia Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5440) Directory: /home/saturnino/.Xdefaults-galassia Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5441) Directory: /home/saturnino/.Xdefaults-galassia Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5442) Directory: /home/saturnino/.Xdefaults-galassia Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5489) Directory: /home/saturnino/.cache Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5489) Directory: /home/saturnino/.local Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5489) Directory: /home/saturnino/.config Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5489) Directory: /home/saturnino/.config Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/5264/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/5264/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/5264/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/5264/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/5264/fd Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/230/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/230/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/230/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/230/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/110/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/110/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/110/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/110/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/231/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/231/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/231/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/231/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/111/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/111/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/111/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/111/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/232/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/232/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/232/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/232/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/112/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/112/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/112/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/112/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/233/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/233/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/233/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/233/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/113/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/113/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/113/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/113/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/234/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/234/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/234/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/234/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/114/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/114/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/114/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/114/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/235/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/235/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/235/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/235/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/115/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/115/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/115/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/115/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/236/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/236/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/236/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/236/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/116/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/116/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/116/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/116/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/237/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/237/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/237/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/237/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/117/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/117/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/117/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/117/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/238/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/238/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/238/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/238/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/118/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/118/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/118/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/118/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/239/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/239/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/239/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/239/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/119/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/119/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/119/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/119/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/914/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/914/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/914/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/914/fd Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/3635/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/3635/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/3635/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/3635/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/3635/fd Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/10/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/10/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/10/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/10/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/917/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/917/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/917/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/917/fd Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/11/maps Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/11/stat Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/11/cmdline Jump to behavior
Source: /tmp/efjepc.elf (PID: 5428) File opened: /proc/11/stat Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5447) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.r537UGDdmb /tmp/tmp.3hQJd9yzJc /tmp/tmp.usH1vlJkGi Jump to behavior
Source: /usr/bin/dash (PID: 5458) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.r537UGDdmb /tmp/tmp.3hQJd9yzJc /tmp/tmp.usH1vlJkGi Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes system log files
Source: /tmp/efjepc.elf (PID: 5431) Log files deleted: /var/log/kern.log Jump to behavior
Source: /tmp/efjepc.elf (PID: 5431) Log files deleted: /var/log/Xorg.0.log Jump to behavior
Source: /tmp/efjepc.elf (PID: 5431) Log files deleted: /var/log/auth.log Jump to behavior
Source: /tmp/efjepc.elf (PID: 5431) Log files deleted: /var/log/Xorg.1.log Jump to behavior
Sample deletes itself
Source: /tmp/efjepc.elf (PID: 5426) File: /tmp/efjepc.elf Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/efjepc.elf (PID: 5424) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5437) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5438) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5439) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5440) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5441) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5442) Queries kernel information via 'uname': Jump to behavior
Source: efjepc.elf Binary or memory string: /lib/systemd//usr/lib/systemd/system/system/bin//gm/bin//home/process//home/helper/home/davinci/z/bin//mnt/mtd//tmp/sqfs//usr/libexec//usr/sbin//z/zbin//usr/bin/bin//tmp/var/mnt/root/boot/home/dev/media/opt/../(deleted)x86armmipsmpslsh4wgetcurllynxftpftpgettftpscpaflaaarsyncpfclamscanreadelfizsnapstracelsofgdbpmapltraceptracewiresharktsharktcpdumpnetstatssnmaphping3tracerouteiptablesnftfirewalldauditctlselinuxapparmoraptdnfyumzypperpacmanemergebrewportnanovimvinvimgeditkateemacspkillkillallkillsystemctlnohuppythonpython3perlrubyluanodebashshkshzshfishvolatilitychkrootkitrkhunterradare2binwalkdockerpodmanlxcqemuvirshvboxmanagemountumountdfdulsblkblkidmkfsfdiskpartedobjdumpstringsxxdhexdumpncnetcatsocatjournalctldmesglogcattaillessgrepawksedtmuxY
Source: efjepc.elf, 5424.1.00007ffe3be1f000.00007ffe3be40000.rw-.sdmp Binary or memory string: )x86_64/usr/bin/qemu-ppc/tmp/efjepc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/efjepc.elf
Source: efjepc.elf, 5424.1.00007ffe3be1f000.00007ffe3be40000.rw-.sdmp Binary or memory string: sU/tmp/qemu-open.MeefRi\4i
Source: efjepc.elf, 5424.1.000055730d0a3000.000055730d153000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1/proc/5424/task/5424/comm1
Source: efjepc.elf, 5424.1.000055730d0a3000.000055730d153000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: efjepc.elf, 5424.1.00007ffe3be1f000.00007ffe3be40000.rw-.sdmp Binary or memory string: /tmp/qemu-open.MeefRi
Source: efjepc.elf, 5424.1.00007ffe3be1f000.00007ffe3be40000.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc
Source: efjepc.elf, 5424.1.00007ffe3be1f000.00007ffe3be40000.rw-.sdmp Binary or memory string: %s/qemu-op
Source: efjepc.elf, 5424.1.00007ffe3be1f000.00007ffe3be40000.rw-.sdmp Binary or memory string: MPDIR%s/qemu-op
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.217.10.153
 unknown United States
16509 AMAZON-02US false
141.98.10.142
 raw.awaken-network.net Lithuania
209605 HOSTBALTICLT false

Contacted Domains

Name IP Active
raw.awaken-network.net 141.98.10.142 true