Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1527368
MD5: c669c8487b5586dc6580ea8e2bd29719
SHA1: 264a4998ce2926b15e6974032be216b01168f60e
SHA256: 73fc8f69d01fb8c5e37f19df9aa8e84d5724dde24cc124004167f450873d40f2
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: na.elf ReversingLabs: Detection: 28%
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:38832 -> 152.136.107.163:3232
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: unknown TCP traffic detected without corresponding DNS query: 152.136.107.163
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: na.elf String found in binary or memory: http://upx.sf.net
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Source: classification engine Classification label: mal52.evad.linELF@0/0@2/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $
Source: submitted sample Stderr: 2024/10/06 16:01:51 Forking2024/10/06 16:01:51 Connecting to 152.136.107.163:32322024/10/06 16:01:54 Successfully connnected 152.136.107.163:32322024/10/06 16:01:55 [client] INFO global.go:118 RegisterChannelCallbacks() : Handling channel: jump2024/10/06 16:01:57 [152.136.107.163:3232] INFO jumphost.go:52 func1() : New SSH connection, version SSH-2.0-paramiko_3.0.02024/10/06 16:01:58 [152.136.107.163:3232] INFO global.go:118 RegisterChannelCallbacks() : Handling channel: session2024/10/06 16:01:59 [152.136.107.163:3232] INFO global.go:118 RegisterChannelCallbacks() : Handling channel: session2024/10/06 16:02:00 [152.136.107.163:3232] INFO session.go:57 Session() : Session got request: "exec"2024/10/06 16:02:00 [152.136.107.163:3232] INFO session.go:109 Session() : Session disconnected2024/10/06 16:02:00 [152.136.107.163:3232] INFO session.go:157 Session() : Session disconnected2024/10/06 16:02:00 [client] ERROR jumphost.go:97 func1() : Channel call back error: connection terminated: exit code = 0
ELF contains segments with high entropy indicating compressed/encrypted content
Source: na.elf Submission file: segment LOAD with 7.8829 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /proc/self/exe (PID: 5642) Queries kernel information via 'uname': Jump to behavior
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
152.136.107.163
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false

Contacted Domains

Name IP Active
daisy.ubuntu.com unknown unknown