Linux Analysis Report
flow.elf

Overview

General Information

Sample name: flow.elf
Analysis ID: 1520643
MD5: 3f110a26621193c8e1a7c8f58231ad3f
SHA1: 39c767af6e1da1bd504e986107526c72a566c87e
SHA256: d7bece4b8b7eab33488a5ade41981d63f5217f5451d381daabc98758970a8282
Tags: elf
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample and/or dropped files likely contain functionality related to malicious behavior
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Sample and/or dropped files contains symbols with suspicious names
Sample has stripped symbol table
Sample tries to set the executable flag
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Writes ELF files to disk

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: flow.elf ReversingLabs: Detection: 15%
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://blog.jaraco.com/skeleton
Source: _cffi_backend.cpython-310-x86_64-linux-gnu.so.16.dr String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://github.com/fake-useragent/fake-useragent/blob/main/AUTHORS).
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://github.com/psf/black
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://github.com/python/importlib_metadata
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://github.com/python/importlib_metadata/issues
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://github.com/python/importlib_metadata/workflows/tests/badge.svg
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://github.com/tailhook/injections
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://img.shields.io/badge/code%20style-black-000000.svg
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://img.shields.io/badge/skeleton-2021-informational
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://importlib_metadata.readthedocs.io/
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://pypi.org/project/black/)
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://pypi.org/project/fake-useragent/#history)):
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://pypi.org/project/importlib_metadata
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
Source: flow.elf, 6229.1.000000000104e000.0000000001070000.rw-.sdmp String found in binary or memory: https://www.w3schools.com/browsers/browsers_stats.asp
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Sample and/or dropped files likely contain functionality related to malicious behavior
Source: _openssl.abi3.so.16.dr ELF static info symbol of dropped file: SSL_CTX_get_keylog_callback
Source: _openssl.abi3.so.16.dr ELF static info symbol of dropped file: SSL_CTX_set_keylog_callback
Source: _ssl.cpython-310-x86_64-linux-gnu.so.16.dr ELF static info symbol of dropped file: SSL_CTX_set_keylog_callback
Sample and/or dropped files contains symbols with suspicious names
Source: _openssl.abi3.so.16.dr ELF static info symbol of dropped file: Cryptography_pem_password_cb
Source: _openssl.abi3.so.16.dr ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: _openssl.abi3.so.16.dr ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: _ssl.cpython-310-x86_64-linux-gnu.so.16.dr ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb
Source: _ssl.cpython-310-x86_64-linux-gnu.so.16.dr ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb_userdata
Source: _ssl.cpython-310-x86_64-linux-gnu.so.16.dr ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: _ssl.cpython-310-x86_64-linux-gnu.so.16.dr ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: readline.cpython-310-x86_64-linux-gnu.so.16.dr ELF static info symbol of dropped file: PyOS_InputHook
Source: readline.cpython-310-x86_64-linux-gnu.so.16.dr ELF static info symbol of dropped file: rl_completion_display_matches_hook
Source: readline.cpython-310-x86_64-linux-gnu.so.16.dr ELF static info symbol of dropped file: rl_pre_input_hook
Source: readline.cpython-310-x86_64-linux-gnu.so.16.dr ELF static info symbol of dropped file: rl_startup_hook
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal52.linELF@0/29@0/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6199) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.9Q77JLay1z /tmp/tmp.M1BKrdKBH5 /tmp/tmp.qgT6A2WxQj Jump to behavior
Source: /usr/bin/dash (PID: 6200) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.9Q77JLay1z /tmp/tmp.M1BKrdKBH5 /tmp/tmp.qgT6A2WxQj Jump to behavior
Sample tries to set the executable flag
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/_cffi_backend.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/bcrypt/_bcrypt.abi3.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/cryptography/hazmat/bindings/_openssl.abi3.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_bz2.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_codecs_cn.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_codecs_hk.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_codecs_iso2022.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_codecs_jp.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_codecs_kr.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_codecs_tw.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_contextvars.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_ctypes.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_decimal.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_hashlib.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_json.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_lzma.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_multibytecodec.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_multiprocessing.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_opcode.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_posixshmem.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_queue.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_ssl.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/_uuid.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/mmap.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/readline.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/resource.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/lib-dynload/termios.cpython-310-x86_64-linux-gnu.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libbz2.so.1.0 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libcrypto.so.3 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libexpat.so.1 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libffi.so.8 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/liblzma.so.5 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libmpdec.so.3 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libpython3.10.so.1.0 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libreadline.so.8 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libssl.so.3 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libtinfo.so.6 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libuuid.so.1 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/libz.so.1 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /tmp/flow.elf (PID: 6229) File: /tmp/_MEIx67uLe/ossl-modules/legacy.so (bits: - usr: - grp: - all: rwx) Jump to behavior
Writes ELF files to disk
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/_cffi_backend.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/bcrypt/_bcrypt.abi3.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/cryptography/hazmat/bindings/_openssl.abi3.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_bz2.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_codecs_cn.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_codecs_hk.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_codecs_iso2022.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_codecs_jp.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_codecs_kr.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_codecs_tw.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_contextvars.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_ctypes.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_decimal.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_hashlib.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_json.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_lzma.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_multibytecodec.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_multiprocessing.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_opcode.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_posixshmem.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_queue.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_ssl.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/_uuid.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/mmap.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/readline.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/resource.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/lib-dynload/termios.cpython-310-x86_64-linux-gnu.so Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/libbz2.so.1.0 Jump to dropped file
Source: /tmp/flow.elf (PID: 6229) File written: /tmp/_MEIx67uLe/libcrypto.so.3 Jump to dropped file
ELF contains segments with high entropy indicating compressed/encrypted content
Source: _bcrypt.abi3.so.16.dr Dropped file: segment LOAD with 7.4819 entropy (max. 8.0)
Source: _codecs_cn.cpython-310-x86_64-linux-gnu.so.16.dr Dropped file: segment LOAD with 7.6419 entropy (max. 8.0)

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false