Linux Analysis Report
tftp.elf

Overview

General Information

Sample name: tftp.elf
Analysis ID: 1668992
MD5: a3ab7e62b0bd2d6efa7a4897de3c403f
SHA1: 30c4cfa6ce2a7bdb5c051ad5a01be391eff762f2
SHA256: b5c27e4e16ecd8b317540374ad1f3a75b8dd21f5e9628fb6c814aadaa546353b
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 48
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
Executes the "rm" command used to delete files or directories
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: tftp.elf Virustotal: Detection: 21% Perma Link
Source: tftp.elf ReversingLabs: Detection: 19%
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown Network traffic detected: HTTP traffic on port 39246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 39246
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: classification engine Classification label: mal48.linELF@0/0@0/0
Source: /usr/bin/dash (PID: 6314) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.OGgumjUYWx /tmp/tmp.4dxlHcGEqS /tmp/tmp.pynADpsMy4 Jump to behavior
Source: /usr/bin/dash (PID: 6315) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.OGgumjUYWx /tmp/tmp.4dxlHcGEqS /tmp/tmp.pynADpsMy4 Jump to behavior
Source: /tmp/tftp.elf (PID: 6234) Queries kernel information via 'uname': Jump to behavior
Source: tftp.elf, 6234.1.00005560ee95d000.00005560eea69000.rw-.sdmp Binary or memory string: `U!/etc/qemu-binfmt/arm
Source: tftp.elf, 6234.1.00007fff6ef68000.00007fff6ef89000.rw-.sdmp Binary or memory string: &+x86_64/usr/bin/qemu-arm/tmp/tftp.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tftp.elf
Source: tftp.elf, 6234.1.00005560ee95d000.00005560eea69000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: tftp.elf, 6234.1.00007fff6ef68000.00007fff6ef89000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: tftp.elf, 6234.1.00005560ee95d000.00005560eea69000.rw-.sdmp Binary or memory string: rg.qemu.gdb.arm.sys.regs">
Source: tftp.elf, 6234.1.00005560ee95d000.00005560eea69000.rw-.sdmp Binary or memory string: `Urg.qemu.gdb.arm.sys.regs">
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs