Linux Analysis Report
main.elf

Overview

General Information

Sample name:	main.elf
Analysis ID:	1655142
MD5:	34fcebc5e7b00b00375c0dac38094ab1
SHA1:	ae2c37b37125168d4568b4680212483b63a26a73
SHA256:	1a386942a1b6a4def0fc2b3802dcf86338e2aa121047a2bf2f562c86eb06908e
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	1
Range:	0 - 100

Signatures

Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Signatures

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: main.elf	ELF static info symbol of initial sample: freeaddrinfo
Source: main.elf	ELF static info symbol of initial sample: gai_strerror
Source: main.elf	ELF static info symbol of initial sample: getaddrinfo

Source: main.elf	String found in binary or memory: http://nginx.com/
Source: main.elf	String found in binary or memory: http://nginx.org/
Source: main.elf	String found in binary or memory: https://github.com/rurreac/slider
Source: main.elf	String found in binary or memory: https://go.dev/issue/66821):
Source: main.elf	String found in binary or memory: https://go.dev/pkg/crypto/rsa#hdr-Minimum_key_size)b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: clean1.linELF@0/0@0/0

Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)

Source: ELF symbol in initial sample

Symbol name: nanosleep

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

ID:	1655142
Product:	CloudBasic
Start time:	01:30:33
Start date:	03.04.2025
Sample:	main.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	34fcebc5e7b00b00375c0dac38094ab1
SHA1:	ae2c37b37125168d4568b4680212483b63a26a73
SHA256:	1a386942a1b6a4def0fc2b3802dcf86338e2aa121047a2bf2f562c86eb06908e
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 49.77%

Linux Analysis Report
main.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report main.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
main.elf