Linux Analysis Report
botnt.mpsl.elf

Overview

General Information

Sample name: botnt.mpsl.elf
Analysis ID: 1502197
MD5: 45295a1aac09c8b44fd12e939be6f330
SHA1: 48ecd56c8c2b9c07860135ea996bb171bc2ecf3e
SHA256: 978c08d7b67e8baa6ec451724a6cc5b46bf5761097426a6b84448f4024207660
Tags: botntelf
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false

Signatures

Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.14:37904 version: TLS 1.2
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:34906 -> 85.203.42.10:5555
Source: global traffic TCP traffic: 192.168.2.14:51326 -> 92.38.135.253:38441
Sample listens on a socket
Source: /tmp/botnt.mpsl.elf (PID: 5480) Socket: 127.0.0.1:2174 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 85.203.42.10
Source: unknown TCP traffic detected without corresponding DNS query: 85.203.42.10
Source: unknown TCP traffic detected without corresponding DNS query: 85.203.42.10
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 85.203.42.10
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 85.203.42.10
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 208.67.222.222
Source: global traffic DNS traffic detected: DNS query: e.foxnointel.ru
Source: global traffic DNS traffic detected: DNS query: e.dosbotbig.mom
Source: unknown Network traffic detected: HTTP traffic on port 37904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 46540 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 37904
Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.14:37904 version: TLS 1.2
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: clean2.linELF@0/0@4/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5497) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.IVmJa2rF9m /tmp/tmp.98uZxoFVPb /tmp/tmp.eU1NtABKew Jump to behavior
Source: /usr/bin/dash (PID: 5506) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.IVmJa2rF9m /tmp/tmp.98uZxoFVPb /tmp/tmp.eU1NtABKew Jump to behavior
Source: submitted sample Stderr: Segmentation fault: exit code = 0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/botnt.mpsl.elf (PID: 5478) Queries kernel information via 'uname': Jump to behavior
Source: botnt.mpsl.elf, 5478.1.0000563c2c032000.0000563c2c0d9000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: botnt.mpsl.elf, 5478.1.00007ffdce6ba000.00007ffdce6db000.rw-.sdmp Binary or memory string: (x86_64/usr/bin/qemu-mipsel/tmp/botnt.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/botnt.mpsl.elf
Source: botnt.mpsl.elf, 5478.1.0000563c2c032000.0000563c2c0d9000.rw-.sdmp Binary or memory string: ,<V!/etc/qemu-binfmt/mipsel
Source: botnt.mpsl.elf, 5478.1.00007ffdce6ba000.00007ffdce6db000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.171.230.55
 unknown United States
16509 AMAZON-02US false
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false
85.203.42.10
 unknown Netherlands
1239 SPRINTLINKUS false
92.38.135.253
 unknown Austria
199524 GCOREAT false

Contacted Domains

Name IP Active
e.dosbotbig.mom 92.223.30.152 true
e.foxnointel.ru unknown unknown