Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1527154
MD5:	81dd71e9f03de8f7b5d7bd0066e9c205
SHA1:	0edf3d61c024022d383bfc979bb975baa97eb8da
SHA256:	f10799c82050872254a29aa22acbb636db36d6a2d9c48311bbb4f6c6ac8ccf84
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Sample reads /proc/mounts (often used for finding a writable filesystem)

Enumerates processes within the "proc" file system

Reads system information from the proc file system

Sample contains strings that are user agent strings indicative of HTTP manipulation

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 28%

Machine Learning detection for sample

Source: na.elf

Joe Sandbox ML: detected

System Summary

Malicious sample detected (through community Yara rule)

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5519.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5519.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5575.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5575.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/na.elf (PID: 5521)	SIGKILL sent: pid: 1553, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	SIGKILL sent: pid: 1659, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	SIGKILL sent: pid: 5660, result: successful	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	SIGKILL sent: pid: 5663, result: successful	Jump to behavior

Yara signature match

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5519.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5519.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5575.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5575.1.0000000008048000.0000000008058000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26

Source: classification engine

Classification label: mal72.troj.linELF@0/1@0/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/na.elf (PID: 5519)

File: /proc/5519/mounts

Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5660/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5663/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3241/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3483/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1732/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1333/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1695/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3235/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3234/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5533/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5654/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5655/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1617/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1615/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5670/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5671/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5672/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5673/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5674/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5675/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3255/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3253/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1591/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3252/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3251/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3250/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1623/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3249/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/764/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3368/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1585/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3246/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3488/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/766/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/888/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1509/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5667/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5668/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/804/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5669/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1867/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3407/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5680/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5681/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5682/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5683/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5684/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5685/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5686/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1484/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1514/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5717/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5718/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1479/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5719/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3379/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/931/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1595/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5676/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/658/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/779/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/812/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/933/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5677/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5678/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5679/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3419/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5694/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5695/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5696/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5697/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5730/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3310/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3275/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3274/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3273/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3394/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3272/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5728/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/782/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5729/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3303/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1762/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/3027/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1486/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/789/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5687/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5720/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5721/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5601/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/1806/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5722/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5723/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5603/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5724/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5604/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5521)	File opened: /proc/5725/cmdline	Jump to behavior

Reads system information from the proc file system

Source: /tmp/na.elf (PID: 5575)

Reads from proc file: /proc/stat

Jump to behavior

Sample contains strings that are user agent strings indicative of HTTP manipulation

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7

Screenshots

Network Map

⊘No contacted IP infos

ID:	1527154
Product:	CloudBasic
Start time:	21:30:15
Start date:	06.10.2024
Sample:	na.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	81dd71e9f03de8f7b5d7bd0066e9c205
SHA1:	0edf3d61c024022d383bfc979bb975baa97eb8da
SHA256:	f10799c82050872254a29aa22acbb636db36d6a2d9c48311bbb4f6c6ac8ccf84
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Screenshots

Network Map

Linux Analysis Report
na.elf