Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1527083
MD5: 4ef77a9fe1c6bef7ad98c2693f24752e
SHA1: 7c5fe019d12ae5ca6efa5166db92224daf75be3c
SHA256: f3865e7fdd121acf07e8f71010f9bba08d659745ccefcc1c1b7037cead94e5df
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai, Moobot
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Mirai
Yara detected Moobot
Contains symbols with names commonly found in malware
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample and/or dropped files contains symbols with suspicious names
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
Name Description Attribution Blogpost URLs Link
MooBot No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: na.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: na.elf ReversingLabs: Detection: 55%

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2030491 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+) : 192.168.2.14:35668 -> 181.41.196.16:33006
Source: Network traffic Suricata IDS: 2030489 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response : 181.41.196.16:33006 -> 192.168.2.14:35668
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:35668 -> 181.41.196.16:33006
Sample listens on a socket
Source: /tmp/na.elf (PID: 5494) Socket: 0.0.0.0:25265 Jump to behavior
Source: global traffic DNS traffic detected: DNS query: xz33006.h52l.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: na.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5494.1.00007f0484017000.00007f048402d000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5494, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Contains symbols with names commonly found in malware
Source: ELF static info symbol of initial sample Name: attack.c
Source: ELF static info symbol of initial sample Name: attack_get_opt_int
Source: ELF static info symbol of initial sample Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample Name: attack_get_opt_str
Source: ELF static info symbol of initial sample Name: attack_gre_ip
Source: ELF static info symbol of initial sample Name: attack_init
Source: ELF static info symbol of initial sample Name: attack_kill_all
Source: ELF static info symbol of initial sample Name: attack_method_nudp
Source: ELF static info symbol of initial sample Name: attack_method_stdhex
Source: ELF static info symbol of initial sample Name: attack_method_tcpbypass
Sample and/or dropped files contains symbols with suspicious names
Source: na.elf ELF static info symbol of initial sample: __gnu_unwind_execute
Yara signature match
Source: na.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5494.1.00007f0484017000.00007f048402d000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5494, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engine Classification label: mal100.troj.evad.linELF@0/0@1/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5473) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.xbgCNgoT0n /tmp/tmp.EmzAJqfg9z /tmp/tmp.3icbhRhNLR Jump to behavior
Source: /usr/bin/dash (PID: 5482) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.xbgCNgoT0n /tmp/tmp.EmzAJqfg9z /tmp/tmp.3icbhRhNLR Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/na.elf (PID: 5494) File: /tmp/na.elf Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/na.elf (PID: 5494) Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5494.1.00007ffe15efe000.00007ffe15f1f000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5494.1.00005565fea7a000.00005565febc9000.rw-.sdmp Binary or memory string: eU!/etc/qemu-binfmt/arm
Source: na.elf, 5494.1.00005565fea7a000.00005565febc9000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5494.1.00007ffe15efe000.00007ffe15f1f000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: na.elf, type: SAMPLE
Source: Yara match File source: 5494.1.00007f0484017000.00007f048402d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: na.elf PID: 5494, type: MEMORYSTR
Yara detected Moobot
Source: Yara match File source: na.elf, type: SAMPLE
Source: Yara match File source: 5494.1.00007f0484017000.00007f048402d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: na.elf PID: 5494, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Mirai
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic Suricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
Yara detected Mirai
Source: Yara match File source: na.elf, type: SAMPLE
Source: Yara match File source: 5494.1.00007f0484017000.00007f048402d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: na.elf PID: 5494, type: MEMORYSTR
Yara detected Moobot
Source: Yara match File source: na.elf, type: SAMPLE
Source: Yara match File source: 5494.1.00007f0484017000.00007f048402d000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: na.elf PID: 5494, type: MEMORYSTR

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
181.41.196.16
 xz33006.h52l.com Chile
61317 ASDETUKhttpwwwheficedcomGB true

Contacted Domains

Name IP Active
xz33006.h52l.com 181.41.196.16 true