Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1527369
MD5: 3559c2707f62c1f865580cee7b3171cd
SHA1: 66eca3476f4dfc614509816801949071f77b71ca
SHA256: 03f22c5d73c3cf11b65b6cfa90fbfc2571e76f9b3e8e0443685d739cf1002d8f
Tags: elfSupershelluser-abuse_ch
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Suricata IDS alerts for network traffic
Machine Learning detection for sample
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: na.elf Joe Sandbox ML: detected

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2850023 - Severity 1 - ETPRO JA3 Hash - Possible Ligolo Server/Golang Binary Response : 111.229.211.161:3232 -> 192.168.2.15:51342
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:51342 -> 111.229.211.161:3232
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: unknown TCP traffic detected without corresponding DNS query: 111.229.211.161
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: na.elf String found in binary or memory: http://upx.sf.net
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Source: classification engine Classification label: mal56.evad.linELF@0/0@2/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $
Source: submitted sample Stderr: 2024/10/06 16:03:12 Forking2024/10/06 16:03:12 Connecting to 111.229.211.161:32322024/10/06 16:03:16 Successfully connnected 111.229.211.161:32322024/10/06 16:03:16 [client] INFO ??:1 BoFsrOtr() : Handling channel: jump2024/10/06 16:03:19 [ws://111.229.211.161:3232/ws] INFO ??:1 () : New SSH connection, version SSH-2.0-paramiko_3.0.02024/10/06 16:03:20 [ws://111.229.211.161:3232/ws] INFO ??:1 BoFsrOtr() : Handling channel: session2024/10/06 16:03:21 [ws://111.229.211.161:3232/ws] INFO ??:1 BoFsrOtr() : Handling channel: session2024/10/06 16:03:21 [ws://111.229.211.161:3232/ws] INFO ??:1 IFu6thF7() : Session got request: "exec"2024/10/06 16:03:22 [ws://111.229.211.161:3232/ws] INFO ??:3 IFu6thF7() : Session disconnected2024/10/06 16:03:22 [ws://111.229.211.161:3232/ws] INFO ??:6 IFu6thF7() : Session disconnected2024/10/06 16:03:22 [client] ERROR ??:1 () : Channel call back error: connection terminated: exit code = 0
ELF contains segments with high entropy indicating compressed/encrypted content
Source: na.elf Submission file: segment LOAD with 7.8854 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /proc/self/exe (PID: 5546) Queries kernel information via 'uname': Jump to behavior

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
111.229.211.161
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa true

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true