Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1528119
MD5:	99b392663b706132ff5084ebb8efda50
SHA1:	d8ebf610367735a7fbe7178dfa45c93d47bf3ad4
SHA256:	1a532d07e86c2f6c57bebe91797859088241391573d1863e52913bec109876c0
Tags:	elfuser-abuse_ch
Infos:

Detection

Gafgyt

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Gafgyt

Opens /proc/net/* files useful for finding connected devices and routers

Uses IRC for communication with a C&C

Sample and/or dropped files contains symbols with suspicious names

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings indicative of network range scanning capabilities

Sample contains strings that are user agent strings indicative of HTTP manipulation

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Found malware configuration

Source: na.elf

Malware Configuration Extractor: Gafgyt {"C2 url": "192.227.146.254:6667"}

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 63%

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/na.elf (PID: 5519)

Opens: /proc/net/route

Jump to behavior

Sample contains strings indicative of network range scanning capabilities

Source: Initial sample	String containing an IP format string found: 112.5.%d.%d
Source: Initial sample	String containing an IP format string found: 117.165.%d.%d
Source: Initial sample	String containing an IP format string found: 85.3.%d.%d
Source: Initial sample	String containing an IP format string found: 41.252.%d.%d
Source: Initial sample	String containing an IP format string found: 104.55.%d.%d
Source: Initial sample	String containing an IP format string found: 78.186.%d.%d
Source: Initial sample	String containing an IP format string found: 78.189.%d.%d
Source: Initial sample	String containing an IP format string found: 221.120.%d.%d
Source: Initial sample	String containing an IP format string found: 88.5.%d.%d
Source: Initial sample	String containing an IP format string found: 41.254.%d.%d
Source: Initial sample	String containing an IP format string found: 103.20.%d.%d
Source: Initial sample	String containing an IP format string found: 103.47.%d.%d
Source: Initial sample	String containing an IP format string found: 103.57.%d.%d
Source: Initial sample	String containing an IP format string found: 45.117.%d.%d
Source: Initial sample	String containing an IP format string found: 101.51.%d.%d
Source: Initial sample	String containing an IP format string found: 137.59.%d.%d
Source: Initial sample	String containing an IP format string found: 14.204.%d.%d
Source: Initial sample	String containing an IP format string found: 27.50.%d.%d
Source: Initial sample	String containing an IP format string found: 27.54.%d.%d
Source: Initial sample	String containing an IP format string found: 27.98.%d.%d
Source: Initial sample	String containing an IP format string found: 36.32.%d.%d
Source: Initial sample	String containing an IP format string found: 36.248.%d.%d
Source: Initial sample	String containing an IP format string found: 39.64.%d.%d
Source: Initial sample	String containing an IP format string found: 43.253.%d.%d
Source: Initial sample	String containing an IP format string found: 43.230.%d.%d
Source: Initial sample	String containing an IP format string found: 163.53.%d.%d
Source: Initial sample	String containing an IP format string found: 43.245.%d.%d
Source: Initial sample	String containing an IP format string found: 123.25.%d.%d
Source: Initial sample	String containing an IP format string found: 103.54.%d.%d
Source: Initial sample	String containing an IP format string found: 27.255.%d.%d
Source: Initial sample	String containing an IP format string found: 103.204.%d.%d
Source: Initial sample	String containing an IP format string found: 123.24.%d.%d
Source: Initial sample	String containing an IP format string found: 113.191.%d.%d
Source: Initial sample	String containing an IP format string found: 113.188.%d.%d
Source: Initial sample	String containing an IP format string found: 113.189.%d.%d
Source: Initial sample	String containing an IP format string found: 14.160.%d.%d
Source: Initial sample	String containing an IP format string found: 14.161.%d.%d
Source: Initial sample	String containing an IP format string found: 14.162.%d.%d
Source: Initial sample	String containing an IP format string found: 14.163.%d.%d
Source: Initial sample	String containing an IP format string found: 14.164.%d.%d
Source: Initial sample	String containing an IP format string found: 14.165.%d.%d
Source: Initial sample	String containing an IP format string found: 14.166.%d.%d
Source: Initial sample	String containing an IP format string found: 14.167.%d.%d
Source: Initial sample	String containing an IP format string found: 14.168.%d.%d
Source: Initial sample	String containing an IP format string found: 14.169.%d.%d
Source: Initial sample	String containing an IP format string found: 14.170.%d.%d
Source: Initial sample	String containing an IP format string found: 14.171.%d.%d
Source: Initial sample	String containing an IP format string found: 14.172.%d.%d
Source: Initial sample	String containing an IP format string found: 14.173.%d.%d
Source: Initial sample	String containing an IP format string found: 14.174.%d.%d
Source: Initial sample	String containing an IP format string found: 14.175.%d.%d
Source: Initial sample	String containing an IP format string found: 14.176.%d.%d
Source: Initial sample	String containing an IP format string found: 14.177.%d.%d
Source: Initial sample	String containing an IP format string found: 14.178.%d.%d
Source: Initial sample	String containing an IP format string found: 14.179.%d.%d
Source: Initial sample	String containing an IP format string found: 14.180.%d.%d
Source: Initial sample	String containing an IP format string found: 14.181.%d.%d
Source: Initial sample	String containing an IP format string found: 14.182.%d.%d
Source: Initial sample	String containing an IP format string found: 14.183.%d.%d
Source: Initial sample	String containing an IP format string found: 14.184.%d.%d
Source: Initial sample	String containing an IP format string found: 14.185.%d.%d
Source: Initial sample	String containing an IP format string found: 14.186.%d.%d
Source: Initial sample	String containing an IP format string found: 14.187.%d.%d
Source: Initial sample	String containing an IP format string found: 14.188.%d.%d
Source: Initial sample	String containing an IP format string found: 14.189.%d.%d
Source: Initial sample	String containing an IP format string found: 14.190.%d.%d
Source: Initial sample	String containing an IP format string found: 14.191.%d.%d
Source: Initial sample	String containing an IP format string found: 45.121.%d.%d
Source: Initial sample	String containing an IP format string found: 45.120.%d.%d
Source: Initial sample	String containing an IP format string found: 45.115.%d.%d
Source: Initial sample	String containing an IP format string found: 43.252.%d.%d
Source: Initial sample	String containing an IP format string found: 43.240.%d.%d
Source: Initial sample	String containing an IP format string found: 41.174.%d.%d
Source: Initial sample	String containing an IP format string found: 45.127.%d.%d
Source: Initial sample	String containing an IP format string found: 103.30.%d.%d
Source: Initial sample	String containing an IP format string found: 123.16.%d.%d
Source: Initial sample	String containing an IP format string found: 202.44.%d.%d
Source: Initial sample	String containing an IP format string found: 116.93.%d.%d
Source: Initial sample	String containing an IP format string found: 41.253.%d.%d
Source: Initial sample	String containing an IP format string found: 117.173.%d.%d
Source: Initial sample	String containing an IP format string found: 113.190.%d.%d
Source: Initial sample	String containing an IP format string found: 112.196.%d.%d
Source: Initial sample	String containing an IP format string found: 113.178.%d.%d
Source: Initial sample	String containing an IP format string found: 112.45.%d.%d
Source: Initial sample	String containing an IP format string found: 183.223.%d.%d
Source: Initial sample	String containing an IP format string found: 116.71.%d.%d
Source: Initial sample	String containing an IP format string found: 103.44.%d.%d
Source: Initial sample	String containing an IP format string found: 110.235.%d.%d
Source: Initial sample	String containing an IP format string found: 124.253.%d.%d
Source: Initial sample	String containing an IP format string found: 211.237.%d.%d
Source: Initial sample	String containing an IP format string found: 117.175.%d.%d
Source: Initial sample	String containing an IP format string found: 111.9.%d.%d
Source: Initial sample	String containing an IP format string found: 222.252.%d.%d
Source: Initial sample	String containing an IP format string found: 113.174.%d.%d
Source: Initial sample	String containing an IP format string found: 113.160.%d.%d
Source: Initial sample	String containing an IP format string found: 113.161.%d.%d
Source: Initial sample	String containing an IP format string found: 113.162.%d.%d
Source: Initial sample	String containing an IP format string found: 113.163.%d.%d
Source: Initial sample	String containing an IP format string found: 113.164.%d.%d
Source: Initial sample	String containing an IP format string found: 113.165.%d.%d

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2836862 - Severity 1 - ETPRO MALWARE ELF/HITTA Bot CnC Checkin : 192.168.2.15:37988 -> 192.227.146.254:6667
Source: Network traffic	Suricata IDS: 2842256 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin : 192.168.2.15:37988 -> 192.227.146.254:6667
Source: Network traffic	Suricata IDS: 2836863 - Severity 1 - ETPRO MALWARE ELF/HITTA Bot Infection Status Inbound : 192.227.146.254:6667 -> 192.168.2.15:37988

Uses IRC for communication with a C&C

Source: unknown

IRC traffic detected: 192.168.2.15:37988 -> 192.227.146.254:6667 [0;32m[CONNECTED] [HITTA] [192.168.2.15]

Sample contains strings indicative of network range scanning capabilities

Source: Initial sample	String containing an IP format string found: 112.5.%d.%d
Source: Initial sample	String containing an IP format string found: 117.165.%d.%d
Source: Initial sample	String containing an IP format string found: 85.3.%d.%d
Source: Initial sample	String containing an IP format string found: 41.252.%d.%d
Source: Initial sample	String containing an IP format string found: 104.55.%d.%d
Source: Initial sample	String containing an IP format string found: 78.186.%d.%d
Source: Initial sample	String containing an IP format string found: 78.189.%d.%d
Source: Initial sample	String containing an IP format string found: 221.120.%d.%d
Source: Initial sample	String containing an IP format string found: 88.5.%d.%d
Source: Initial sample	String containing an IP format string found: 41.254.%d.%d
Source: Initial sample	String containing an IP format string found: 103.20.%d.%d
Source: Initial sample	String containing an IP format string found: 103.47.%d.%d
Source: Initial sample	String containing an IP format string found: 103.57.%d.%d
Source: Initial sample	String containing an IP format string found: 45.117.%d.%d
Source: Initial sample	String containing an IP format string found: 101.51.%d.%d
Source: Initial sample	String containing an IP format string found: 137.59.%d.%d
Source: Initial sample	String containing an IP format string found: 14.204.%d.%d
Source: Initial sample	String containing an IP format string found: 27.50.%d.%d
Source: Initial sample	String containing an IP format string found: 27.54.%d.%d
Source: Initial sample	String containing an IP format string found: 27.98.%d.%d
Source: Initial sample	String containing an IP format string found: 36.32.%d.%d
Source: Initial sample	String containing an IP format string found: 36.248.%d.%d
Source: Initial sample	String containing an IP format string found: 39.64.%d.%d
Source: Initial sample	String containing an IP format string found: 43.253.%d.%d
Source: Initial sample	String containing an IP format string found: 43.230.%d.%d
Source: Initial sample	String containing an IP format string found: 163.53.%d.%d
Source: Initial sample	String containing an IP format string found: 43.245.%d.%d
Source: Initial sample	String containing an IP format string found: 123.25.%d.%d
Source: Initial sample	String containing an IP format string found: 103.54.%d.%d
Source: Initial sample	String containing an IP format string found: 27.255.%d.%d
Source: Initial sample	String containing an IP format string found: 103.204.%d.%d
Source: Initial sample	String containing an IP format string found: 123.24.%d.%d
Source: Initial sample	String containing an IP format string found: 113.191.%d.%d
Source: Initial sample	String containing an IP format string found: 113.188.%d.%d
Source: Initial sample	String containing an IP format string found: 113.189.%d.%d
Source: Initial sample	String containing an IP format string found: 14.160.%d.%d
Source: Initial sample	String containing an IP format string found: 14.161.%d.%d
Source: Initial sample	String containing an IP format string found: 14.162.%d.%d
Source: Initial sample	String containing an IP format string found: 14.163.%d.%d
Source: Initial sample	String containing an IP format string found: 14.164.%d.%d
Source: Initial sample	String containing an IP format string found: 14.165.%d.%d
Source: Initial sample	String containing an IP format string found: 14.166.%d.%d
Source: Initial sample	String containing an IP format string found: 14.167.%d.%d
Source: Initial sample	String containing an IP format string found: 14.168.%d.%d
Source: Initial sample	String containing an IP format string found: 14.169.%d.%d
Source: Initial sample	String containing an IP format string found: 14.170.%d.%d
Source: Initial sample	String containing an IP format string found: 14.171.%d.%d
Source: Initial sample	String containing an IP format string found: 14.172.%d.%d
Source: Initial sample	String containing an IP format string found: 14.173.%d.%d
Source: Initial sample	String containing an IP format string found: 14.174.%d.%d
Source: Initial sample	String containing an IP format string found: 14.175.%d.%d
Source: Initial sample	String containing an IP format string found: 14.176.%d.%d
Source: Initial sample	String containing an IP format string found: 14.177.%d.%d
Source: Initial sample	String containing an IP format string found: 14.178.%d.%d
Source: Initial sample	String containing an IP format string found: 14.179.%d.%d
Source: Initial sample	String containing an IP format string found: 14.180.%d.%d
Source: Initial sample	String containing an IP format string found: 14.181.%d.%d
Source: Initial sample	String containing an IP format string found: 14.182.%d.%d
Source: Initial sample	String containing an IP format string found: 14.183.%d.%d
Source: Initial sample	String containing an IP format string found: 14.184.%d.%d
Source: Initial sample	String containing an IP format string found: 14.185.%d.%d
Source: Initial sample	String containing an IP format string found: 14.186.%d.%d
Source: Initial sample	String containing an IP format string found: 14.187.%d.%d
Source: Initial sample	String containing an IP format string found: 14.188.%d.%d
Source: Initial sample	String containing an IP format string found: 14.189.%d.%d
Source: Initial sample	String containing an IP format string found: 14.190.%d.%d
Source: Initial sample	String containing an IP format string found: 14.191.%d.%d
Source: Initial sample	String containing an IP format string found: 45.121.%d.%d
Source: Initial sample	String containing an IP format string found: 45.120.%d.%d
Source: Initial sample	String containing an IP format string found: 45.115.%d.%d
Source: Initial sample	String containing an IP format string found: 43.252.%d.%d
Source: Initial sample	String containing an IP format string found: 43.240.%d.%d
Source: Initial sample	String containing an IP format string found: 41.174.%d.%d
Source: Initial sample	String containing an IP format string found: 45.127.%d.%d
Source: Initial sample	String containing an IP format string found: 103.30.%d.%d
Source: Initial sample	String containing an IP format string found: 123.16.%d.%d
Source: Initial sample	String containing an IP format string found: 202.44.%d.%d
Source: Initial sample	String containing an IP format string found: 116.93.%d.%d
Source: Initial sample	String containing an IP format string found: 41.253.%d.%d
Source: Initial sample	String containing an IP format string found: 117.173.%d.%d
Source: Initial sample	String containing an IP format string found: 113.190.%d.%d
Source: Initial sample	String containing an IP format string found: 112.196.%d.%d
Source: Initial sample	String containing an IP format string found: 113.178.%d.%d
Source: Initial sample	String containing an IP format string found: 112.45.%d.%d
Source: Initial sample	String containing an IP format string found: 183.223.%d.%d
Source: Initial sample	String containing an IP format string found: 116.71.%d.%d
Source: Initial sample	String containing an IP format string found: 103.44.%d.%d
Source: Initial sample	String containing an IP format string found: 110.235.%d.%d
Source: Initial sample	String containing an IP format string found: 124.253.%d.%d
Source: Initial sample	String containing an IP format string found: 211.237.%d.%d
Source: Initial sample	String containing an IP format string found: 117.175.%d.%d
Source: Initial sample	String containing an IP format string found: 111.9.%d.%d
Source: Initial sample	String containing an IP format string found: 222.252.%d.%d
Source: Initial sample	String containing an IP format string found: 113.174.%d.%d
Source: Initial sample	String containing an IP format string found: 113.160.%d.%d
Source: Initial sample	String containing an IP format string found: 113.161.%d.%d
Source: Initial sample	String containing an IP format string found: 113.162.%d.%d
Source: Initial sample	String containing an IP format string found: 113.163.%d.%d
Source: Initial sample	String containing an IP format string found: 113.164.%d.%d
Source: Initial sample	String containing an IP format string found: 113.165.%d.%d

Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.146.254
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.146.254
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.146.254
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.146.254
Source: unknown	TCP traffic detected without corresponding DNS query: 43.230.36.24
Source: unknown	TCP traffic detected without corresponding DNS query: 103.255.113.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.20.97.163
Source: unknown	TCP traffic detected without corresponding DNS query: 222.252.205.59
Source: unknown	TCP traffic detected without corresponding DNS query: 14.186.107.143
Source: unknown	TCP traffic detected without corresponding DNS query: 14.180.172.72
Source: unknown	TCP traffic detected without corresponding DNS query: 43.230.36.24
Source: unknown	TCP traffic detected without corresponding DNS query: 183.223.106.10
Source: unknown	TCP traffic detected without corresponding DNS query: 103.255.113.114
Source: unknown	TCP traffic detected without corresponding DNS query: 14.173.171.32
Source: unknown	TCP traffic detected without corresponding DNS query: 103.30.157.102
Source: unknown	TCP traffic detected without corresponding DNS query: 103.20.97.163
Source: unknown	TCP traffic detected without corresponding DNS query: 222.252.205.59
Source: unknown	TCP traffic detected without corresponding DNS query: 103.225.7.248
Source: unknown	TCP traffic detected without corresponding DNS query: 88.105.47.29
Source: unknown	TCP traffic detected without corresponding DNS query: 14.186.107.143
Source: unknown	TCP traffic detected without corresponding DNS query: 117.173.9.232
Source: unknown	TCP traffic detected without corresponding DNS query: 14.180.172.72
Source: unknown	TCP traffic detected without corresponding DNS query: 183.223.106.10
Source: unknown	TCP traffic detected without corresponding DNS query: 36.32.243.193
Source: unknown	TCP traffic detected without corresponding DNS query: 14.173.171.32
Source: unknown	TCP traffic detected without corresponding DNS query: 162.12.82.156
Source: unknown	TCP traffic detected without corresponding DNS query: 103.30.157.102
Source: unknown	TCP traffic detected without corresponding DNS query: 123.21.26.55
Source: unknown	TCP traffic detected without corresponding DNS query: 103.225.7.248
Source: unknown	TCP traffic detected without corresponding DNS query: 137.59.199.146
Source: unknown	TCP traffic detected without corresponding DNS query: 88.105.47.29
Source: unknown	TCP traffic detected without corresponding DNS query: 43.228.72.151
Source: unknown	TCP traffic detected without corresponding DNS query: 117.173.9.232
Source: unknown	TCP traffic detected without corresponding DNS query: 14.183.185.41
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.91.185
Source: unknown	TCP traffic detected without corresponding DNS query: 36.32.243.193
Source: unknown	TCP traffic detected without corresponding DNS query: 103.14.219.92
Source: unknown	TCP traffic detected without corresponding DNS query: 162.12.82.156
Source: unknown	TCP traffic detected without corresponding DNS query: 211.237.237.182
Source: unknown	TCP traffic detected without corresponding DNS query: 123.21.26.55
Source: unknown	TCP traffic detected without corresponding DNS query: 123.17.46.71
Source: unknown	TCP traffic detected without corresponding DNS query: 137.59.199.146
Source: unknown	TCP traffic detected without corresponding DNS query: 137.59.252.124
Source: unknown	TCP traffic detected without corresponding DNS query: 43.228.72.151
Source: unknown	TCP traffic detected without corresponding DNS query: 14.186.233.238
Source: unknown	TCP traffic detected without corresponding DNS query: 14.183.185.41
Source: unknown	TCP traffic detected without corresponding DNS query: 104.55.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.91.185
Source: unknown	TCP traffic detected without corresponding DNS query: 41.252.40.148
Source: unknown	TCP traffic detected without corresponding DNS query: 103.14.219.92

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: na.elf	String found in binary or memory: http://192.227.146.254/deltahaxsyeaok.sh;
Source: na.elf	String found in binary or memory: http://code.google.com/appengine;
Source: na.elf	String found in binary or memory: http://majestic12.co.uk/bot.php?
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)Mozilla/5.0
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)findlinks/1.1.5-beta7
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)findlinks/1.1.6-beta1
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)findlinks/1.1.6-beta4
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)findlinks/1.1.6-beta6
Source: na.elf	String found in binary or memory: http://www.brandwatch.net)
Source: na.elf	String found in binary or memory: http://www.brandwatch.net)Mozilla/5.0
Source: na.elf	String found in binary or memory: http://www.majestic12.co.uk/bot.php?
Source: na.elf	String found in binary or memory: http://www.mojeek.com/bot.html)

Sample and/or dropped files contains symbols with suspicious names

Source: na.elf	ELF static info symbol of initial sample: PhoneScan
Source: na.elf	ELF static info symbol of initial sample: PhoneScanner
Source: na.elf	ELF static info symbol of initial sample: Phonepid
Source: na.elf	ELF static info symbol of initial sample: passwords
Source: na.elf	ELF static info symbol of initial sample: phone
Source: na.elf	ELF static info symbol of initial sample: phonepayload
Source: na.elf	ELF static info symbol of initial sample: usernames

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: telnet:oginsernameasswordLinux9615-cdpnvalidailedncorrecteniedrroroodbyebadbusybox$#Device Repped/dev/netslink//tmp//var//dev//var/run//dev/shm//mnt//boot//usr//opt/192.227.146.254:6667/usr/dict/wordsr(null)buf: %s
Source: Initial sample	String containing 'busybox' found: busybox*
Source: Initial sample	String containing 'busybox' found: tFailed opening raw socket.Failed setting raw headers mode.all,synrstfinackpshInvalid flag "%s"jackmybusyboxbinsextftparmmipselmipsmips64i686sparcsh4botjackmeoffhackzbruvmomentumhakaiyowaikatanaa-r-ma-r-m-4a-r-m-7m-i-p-sSakura*
Source: Initial sample	String containing 'busybox' found: pkill -9 busybox
Source: Initial sample	String containing 'busybox' found: rm -rf /tmp/* /var/* /var/run/* /var/tmp/rm -rf /var/log/wtmphistory -c;history -wrm -rf /tmp/history -crm -rf ~/.bash_historyrm -rf /bin/netstathistory -wpkill -9 busyboxpkill -9 perlservice iptables stop/sbin/iptables -F;/sbin/iptables -XPONG!GETLOCALIPMy IP: %sBOTKILL[BOTKILLER] [STARTED] [%s]SCANNEROFFONUDPHTTPHTTP %s Flooding %s:%d for %d secondsPHONESTDTCPKILLATTKLOLNOGTFO8.8.8.8/proc/net/route00000000HITTA[CONNECTED] [%s] [%s]

Source: classification engine

Classification label: mal88.spre.troj.linELF@0/1@2/0

Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/brk.S
Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/crt1.S
Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/crti.S
Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/crtn.S
Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/vfork.S

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/na.elf (PID: 5519)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5519.1.00005594f51ae000.00005594f525e000.rw-.sdmp, na.elf, 5521.1.00005594f51ae000.00005594f525e000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: na.elf, 5519.1.00005594f51ae000.00005594f525e000.rw-.sdmp, na.elf, 5521.1.00005594f51ae000.00005594f525e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: na.elf, 5519.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.DZaULx\
Source: na.elf, 5519.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp, na.elf, 5521.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: na.elf, 5519.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp, na.elf, 5521.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp	Binary or memory string: +x86_64/usr/bin/qemu-ppc/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5519.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.DZaULx

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match

File source: na.elf, type: SAMPLE

Sample contains strings that are user agent strings indicative of HTTP manipulation

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match

File source: na.elf, type: SAMPLE

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
222.252.160.98	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
113.178.80.72	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
41.253.208.30	unknown	Libyan Arab Jamahiriya	21003	GPTC-ASLY	false
27.54.90.219	unknown	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	false
39.64.200.115	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
113.178.212.106	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
85.3.227.211	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
14.176.84.179	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
103.195.189.106	unknown	Singapore	10031	WEBSATMEDIA-ASWEBSATMEDIAPTELTDSatelliteOverIPSinga	false
117.175.162.232	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
113.174.141.213	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
117.176.199.148	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
41.254.28.135	unknown	Libyan Arab Jamahiriya	21003	GPTC-ASLY	false
113.162.218.48	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
117.175.162.240	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
113.190.146.125	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
123.21.171.120	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
14.160.128.183	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
14.165.136.44	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
188.3.58.210	unknown	Turkey	8386	KOCNETTR	false
117.176.199.156	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
14.178.148.119	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
43.230.125.171	unknown	China	133954	EXORDONLINE-BDExordOnlineBD	false
41.208.78.3	unknown	Libyan Arab Jamahiriya	21003	GPTC-ASLY	false
88.248.29.119	unknown	Turkey	9121	TTNETTR	false
14.190.83.181	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
112.5.3.227	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
113.190.38.100	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
103.14.48.172	unknown	Australia	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
27.98.140.60	unknown	Japan	10010	TOKAITOKAICommunicationsCorporationJP	false
211.237.245.252	unknown	Korea Republic of	9762	HCN-ASHYUNDAICOMMUNICATIONSNETWORKKR	false
113.191.64.85	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
188.3.58.206	unknown	Turkey	8386	KOCNETTR	false
124.253.185.182	unknown	India	17917	QTLTELECOM-AS-APQuadrantTeleventuresLimitedIN	false
103.44.77.215	unknown	Bangladesh	63923	BHL-BDBestHoldingsLimitedBD	false
203.134.138.192	unknown	Australia	9443	VOCUS-RETAIL-AUVocusRetailAU	false
103.198.135.117	unknown	Bangladesh	131464	DJBL-AS-APDigiJadooBroadbandLtdBD	false
14.167.48.78	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
103.248.115.123	unknown	India	55832	HOMESYSTEM-AS-APHOMESYSTEMSPVTLTDIN	false
14.178.148.109	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
123.16.228.4	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
113.176.89.4	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
115.220.235.211	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
14.166.103.227	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
113.189.220.170	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
43.245.38.231	unknown	Australia	38835	VIAIP-AS-APBuroservAustraliaPtyLtdAU	false
101.51.234.219	unknown	Thailand	23969	TOT-NETTOTPublicCompanyLimitedTH	false
113.178.79.77	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
103.47.0.144	unknown	Australia	133736	FIELD-AUFieldSolutionsAU	false
103.225.109.219	unknown	Hong Kong	9266	FIVEWAYS-HKFivewaysInternationalLimitedHK	false
45.127.206.162	unknown	Indonesia	55699	STARNET-AS-IDPTCemerlangMultimediaID	false
123.24.204.246	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
203.150.57.231	unknown	Thailand	4618	INET-TH-ASInternetThailandCompanyLimitedTH	false
14.165.161.67	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
36.32.124.132	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
188.3.128.196	unknown	Turkey	8386	KOCNETTR	false
103.203.62.235	unknown	India	24554	FIVE-NET-AS-INFivenetworkSolutionIndiaPvtLtdInternet	false
103.218.19.0	unknown	China	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	false
103.55.103.163	unknown	India	134287	ODITEL-ASHBSTELESOFTPRIVATELIMITEDIN	false
203.150.10.223	unknown	Thailand	4618	INET-TH-ASInternetThailandCompanyLimitedTH	false
117.173.208.90	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
113.176.133.32	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
115.220.70.8	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
115.220.65.221	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
103.198.223.131	unknown	China	138571	SUPERCLOUDSLIMITED-AS-APSUPERCLOUDSLIMITEDHK	false
43.253.218.155	unknown	Japan	17686	ACCELIAACCELIAJP	false
27.54.18.123	unknown	Singapore	4657	STARHUB-INTERNETStarHubLtdSG	false
113.176.108.84	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
36.32.27.117	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
222.252.9.222	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
27.255.85.30	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
113.166.4.89	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
137.59.29.200	unknown	Viet Nam	131429	MOBIFONE-AS-VNMOBIFONECorporationVN	false
203.150.57.214	unknown	Thailand	4618	INET-TH-ASInternetThailandCompanyLimitedTH	false
113.191.64.10	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
110.235.120.68	unknown	India	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	false
103.47.160.249	unknown	India	133736	FIELD-AUFieldSolutionsAU	false
45.127.206.145	unknown	Indonesia	55699	STARNET-AS-IDPTCemerlangMultimediaID	false
14.161.68.251	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
188.3.128.171	unknown	Turkey	8386	KOCNETTR	false
188.3.128.166	unknown	Turkey	8386	KOCNETTR	false
103.57.253.89	unknown	India	132296	SEVENSTARDIGITAL-AS-APSevenStarDigitalNetworkPrivateLi	false
222.253.141.7	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
88.247.63.48	unknown	Turkey	9121	TTNETTR	false
45.117.212.11	unknown	India	45194	SIPL-ASSysconInfowayPvtLtdIN	false
117.173.49.173	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
85.105.1.241	unknown	Turkey	9121	TTNETTR	false
103.203.24.72	unknown	China	131599	WISTRONWistronCorporationTW	false
113.191.40.89	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
117.171.155.119	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
162.12.60.239	unknown	United States	35893	ACPCA	false
202.44.42.200	unknown	Thailand	9533	KMITNB-AS-APKingMongkutsInstituteofTechnologyNorthBa	false
78.189.111.203	unknown	Turkey	9121	TTNETTR	false
14.175.231.252	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
36.248.14.117	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
103.220.23.12	unknown	unknown	136370	MAHESH-ASSAINETWORKSIN	false
110.235.119.87	unknown	India	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	false
41.253.159.6	unknown	Libyan Arab Jamahiriya	21003	GPTC-ASLY	false
14.163.245.206	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
14.162.47.210	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.25	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
192.227.146.254:6667	true		unknown

Name	Type	MD5	SHA1	SHA256
/tmp/qemu-open.DZaULx (deleted)	ASCII text	2E667F43AE18CD1FE3C108641708A82C	12B90DE2DA0FBCFE66F3D6130905E56C8D6A68D3	6F721492E7A337C5B498A8F55F5EB7AC745AFF716D0B5B08EFF2C1B6B250F983

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Found malware configuration

Source: na.elf

Malware Configuration Extractor: Gafgyt {"C2 url": "192.227.146.254:6667"}

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 63%

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/na.elf (PID: 5519)

Opens: /proc/net/route

Jump to behavior

Sample contains strings indicative of network range scanning capabilities

Source: Initial sample	String containing an IP format string found: 112.5.%d.%d
Source: Initial sample	String containing an IP format string found: 117.165.%d.%d
Source: Initial sample	String containing an IP format string found: 85.3.%d.%d
Source: Initial sample	String containing an IP format string found: 41.252.%d.%d
Source: Initial sample	String containing an IP format string found: 104.55.%d.%d
Source: Initial sample	String containing an IP format string found: 78.186.%d.%d
Source: Initial sample	String containing an IP format string found: 78.189.%d.%d
Source: Initial sample	String containing an IP format string found: 221.120.%d.%d
Source: Initial sample	String containing an IP format string found: 88.5.%d.%d
Source: Initial sample	String containing an IP format string found: 41.254.%d.%d
Source: Initial sample	String containing an IP format string found: 103.20.%d.%d
Source: Initial sample	String containing an IP format string found: 103.47.%d.%d
Source: Initial sample	String containing an IP format string found: 103.57.%d.%d
Source: Initial sample	String containing an IP format string found: 45.117.%d.%d
Source: Initial sample	String containing an IP format string found: 101.51.%d.%d
Source: Initial sample	String containing an IP format string found: 137.59.%d.%d
Source: Initial sample	String containing an IP format string found: 14.204.%d.%d
Source: Initial sample	String containing an IP format string found: 27.50.%d.%d
Source: Initial sample	String containing an IP format string found: 27.54.%d.%d
Source: Initial sample	String containing an IP format string found: 27.98.%d.%d
Source: Initial sample	String containing an IP format string found: 36.32.%d.%d
Source: Initial sample	String containing an IP format string found: 36.248.%d.%d
Source: Initial sample	String containing an IP format string found: 39.64.%d.%d
Source: Initial sample	String containing an IP format string found: 43.253.%d.%d
Source: Initial sample	String containing an IP format string found: 43.230.%d.%d
Source: Initial sample	String containing an IP format string found: 163.53.%d.%d
Source: Initial sample	String containing an IP format string found: 43.245.%d.%d
Source: Initial sample	String containing an IP format string found: 123.25.%d.%d
Source: Initial sample	String containing an IP format string found: 103.54.%d.%d
Source: Initial sample	String containing an IP format string found: 27.255.%d.%d
Source: Initial sample	String containing an IP format string found: 103.204.%d.%d
Source: Initial sample	String containing an IP format string found: 123.24.%d.%d
Source: Initial sample	String containing an IP format string found: 113.191.%d.%d
Source: Initial sample	String containing an IP format string found: 113.188.%d.%d
Source: Initial sample	String containing an IP format string found: 113.189.%d.%d
Source: Initial sample	String containing an IP format string found: 14.160.%d.%d
Source: Initial sample	String containing an IP format string found: 14.161.%d.%d
Source: Initial sample	String containing an IP format string found: 14.162.%d.%d
Source: Initial sample	String containing an IP format string found: 14.163.%d.%d
Source: Initial sample	String containing an IP format string found: 14.164.%d.%d
Source: Initial sample	String containing an IP format string found: 14.165.%d.%d
Source: Initial sample	String containing an IP format string found: 14.166.%d.%d
Source: Initial sample	String containing an IP format string found: 14.167.%d.%d
Source: Initial sample	String containing an IP format string found: 14.168.%d.%d
Source: Initial sample	String containing an IP format string found: 14.169.%d.%d
Source: Initial sample	String containing an IP format string found: 14.170.%d.%d
Source: Initial sample	String containing an IP format string found: 14.171.%d.%d
Source: Initial sample	String containing an IP format string found: 14.172.%d.%d
Source: Initial sample	String containing an IP format string found: 14.173.%d.%d
Source: Initial sample	String containing an IP format string found: 14.174.%d.%d
Source: Initial sample	String containing an IP format string found: 14.175.%d.%d
Source: Initial sample	String containing an IP format string found: 14.176.%d.%d
Source: Initial sample	String containing an IP format string found: 14.177.%d.%d
Source: Initial sample	String containing an IP format string found: 14.178.%d.%d
Source: Initial sample	String containing an IP format string found: 14.179.%d.%d
Source: Initial sample	String containing an IP format string found: 14.180.%d.%d
Source: Initial sample	String containing an IP format string found: 14.181.%d.%d
Source: Initial sample	String containing an IP format string found: 14.182.%d.%d
Source: Initial sample	String containing an IP format string found: 14.183.%d.%d
Source: Initial sample	String containing an IP format string found: 14.184.%d.%d
Source: Initial sample	String containing an IP format string found: 14.185.%d.%d
Source: Initial sample	String containing an IP format string found: 14.186.%d.%d
Source: Initial sample	String containing an IP format string found: 14.187.%d.%d
Source: Initial sample	String containing an IP format string found: 14.188.%d.%d
Source: Initial sample	String containing an IP format string found: 14.189.%d.%d
Source: Initial sample	String containing an IP format string found: 14.190.%d.%d
Source: Initial sample	String containing an IP format string found: 14.191.%d.%d
Source: Initial sample	String containing an IP format string found: 45.121.%d.%d
Source: Initial sample	String containing an IP format string found: 45.120.%d.%d
Source: Initial sample	String containing an IP format string found: 45.115.%d.%d
Source: Initial sample	String containing an IP format string found: 43.252.%d.%d
Source: Initial sample	String containing an IP format string found: 43.240.%d.%d
Source: Initial sample	String containing an IP format string found: 41.174.%d.%d
Source: Initial sample	String containing an IP format string found: 45.127.%d.%d
Source: Initial sample	String containing an IP format string found: 103.30.%d.%d
Source: Initial sample	String containing an IP format string found: 123.16.%d.%d
Source: Initial sample	String containing an IP format string found: 202.44.%d.%d
Source: Initial sample	String containing an IP format string found: 116.93.%d.%d
Source: Initial sample	String containing an IP format string found: 41.253.%d.%d
Source: Initial sample	String containing an IP format string found: 117.173.%d.%d
Source: Initial sample	String containing an IP format string found: 113.190.%d.%d
Source: Initial sample	String containing an IP format string found: 112.196.%d.%d
Source: Initial sample	String containing an IP format string found: 113.178.%d.%d
Source: Initial sample	String containing an IP format string found: 112.45.%d.%d
Source: Initial sample	String containing an IP format string found: 183.223.%d.%d
Source: Initial sample	String containing an IP format string found: 116.71.%d.%d
Source: Initial sample	String containing an IP format string found: 103.44.%d.%d
Source: Initial sample	String containing an IP format string found: 110.235.%d.%d
Source: Initial sample	String containing an IP format string found: 124.253.%d.%d
Source: Initial sample	String containing an IP format string found: 211.237.%d.%d
Source: Initial sample	String containing an IP format string found: 117.175.%d.%d
Source: Initial sample	String containing an IP format string found: 111.9.%d.%d
Source: Initial sample	String containing an IP format string found: 222.252.%d.%d
Source: Initial sample	String containing an IP format string found: 113.174.%d.%d
Source: Initial sample	String containing an IP format string found: 113.160.%d.%d
Source: Initial sample	String containing an IP format string found: 113.161.%d.%d
Source: Initial sample	String containing an IP format string found: 113.162.%d.%d
Source: Initial sample	String containing an IP format string found: 113.163.%d.%d
Source: Initial sample	String containing an IP format string found: 113.164.%d.%d
Source: Initial sample	String containing an IP format string found: 113.165.%d.%d

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2836862 - Severity 1 - ETPRO MALWARE ELF/HITTA Bot CnC Checkin : 192.168.2.15:37988 -> 192.227.146.254:6667
Source: Network traffic	Suricata IDS: 2842256 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin : 192.168.2.15:37988 -> 192.227.146.254:6667
Source: Network traffic	Suricata IDS: 2836863 - Severity 1 - ETPRO MALWARE ELF/HITTA Bot Infection Status Inbound : 192.227.146.254:6667 -> 192.168.2.15:37988

Uses IRC for communication with a C&C

Source: unknown

IRC traffic detected: 192.168.2.15:37988 -> 192.227.146.254:6667 [0;32m[CONNECTED] [HITTA] [192.168.2.15]

Sample contains strings indicative of network range scanning capabilities

Source: Initial sample	String containing an IP format string found: 112.5.%d.%d
Source: Initial sample	String containing an IP format string found: 117.165.%d.%d
Source: Initial sample	String containing an IP format string found: 85.3.%d.%d
Source: Initial sample	String containing an IP format string found: 41.252.%d.%d
Source: Initial sample	String containing an IP format string found: 104.55.%d.%d
Source: Initial sample	String containing an IP format string found: 78.186.%d.%d
Source: Initial sample	String containing an IP format string found: 78.189.%d.%d
Source: Initial sample	String containing an IP format string found: 221.120.%d.%d
Source: Initial sample	String containing an IP format string found: 88.5.%d.%d
Source: Initial sample	String containing an IP format string found: 41.254.%d.%d
Source: Initial sample	String containing an IP format string found: 103.20.%d.%d
Source: Initial sample	String containing an IP format string found: 103.47.%d.%d
Source: Initial sample	String containing an IP format string found: 103.57.%d.%d
Source: Initial sample	String containing an IP format string found: 45.117.%d.%d
Source: Initial sample	String containing an IP format string found: 101.51.%d.%d
Source: Initial sample	String containing an IP format string found: 137.59.%d.%d
Source: Initial sample	String containing an IP format string found: 14.204.%d.%d
Source: Initial sample	String containing an IP format string found: 27.50.%d.%d
Source: Initial sample	String containing an IP format string found: 27.54.%d.%d
Source: Initial sample	String containing an IP format string found: 27.98.%d.%d
Source: Initial sample	String containing an IP format string found: 36.32.%d.%d
Source: Initial sample	String containing an IP format string found: 36.248.%d.%d
Source: Initial sample	String containing an IP format string found: 39.64.%d.%d
Source: Initial sample	String containing an IP format string found: 43.253.%d.%d
Source: Initial sample	String containing an IP format string found: 43.230.%d.%d
Source: Initial sample	String containing an IP format string found: 163.53.%d.%d
Source: Initial sample	String containing an IP format string found: 43.245.%d.%d
Source: Initial sample	String containing an IP format string found: 123.25.%d.%d
Source: Initial sample	String containing an IP format string found: 103.54.%d.%d
Source: Initial sample	String containing an IP format string found: 27.255.%d.%d
Source: Initial sample	String containing an IP format string found: 103.204.%d.%d
Source: Initial sample	String containing an IP format string found: 123.24.%d.%d
Source: Initial sample	String containing an IP format string found: 113.191.%d.%d
Source: Initial sample	String containing an IP format string found: 113.188.%d.%d
Source: Initial sample	String containing an IP format string found: 113.189.%d.%d
Source: Initial sample	String containing an IP format string found: 14.160.%d.%d
Source: Initial sample	String containing an IP format string found: 14.161.%d.%d
Source: Initial sample	String containing an IP format string found: 14.162.%d.%d
Source: Initial sample	String containing an IP format string found: 14.163.%d.%d
Source: Initial sample	String containing an IP format string found: 14.164.%d.%d
Source: Initial sample	String containing an IP format string found: 14.165.%d.%d
Source: Initial sample	String containing an IP format string found: 14.166.%d.%d
Source: Initial sample	String containing an IP format string found: 14.167.%d.%d
Source: Initial sample	String containing an IP format string found: 14.168.%d.%d
Source: Initial sample	String containing an IP format string found: 14.169.%d.%d
Source: Initial sample	String containing an IP format string found: 14.170.%d.%d
Source: Initial sample	String containing an IP format string found: 14.171.%d.%d
Source: Initial sample	String containing an IP format string found: 14.172.%d.%d
Source: Initial sample	String containing an IP format string found: 14.173.%d.%d
Source: Initial sample	String containing an IP format string found: 14.174.%d.%d
Source: Initial sample	String containing an IP format string found: 14.175.%d.%d
Source: Initial sample	String containing an IP format string found: 14.176.%d.%d
Source: Initial sample	String containing an IP format string found: 14.177.%d.%d
Source: Initial sample	String containing an IP format string found: 14.178.%d.%d
Source: Initial sample	String containing an IP format string found: 14.179.%d.%d
Source: Initial sample	String containing an IP format string found: 14.180.%d.%d
Source: Initial sample	String containing an IP format string found: 14.181.%d.%d
Source: Initial sample	String containing an IP format string found: 14.182.%d.%d
Source: Initial sample	String containing an IP format string found: 14.183.%d.%d
Source: Initial sample	String containing an IP format string found: 14.184.%d.%d
Source: Initial sample	String containing an IP format string found: 14.185.%d.%d
Source: Initial sample	String containing an IP format string found: 14.186.%d.%d
Source: Initial sample	String containing an IP format string found: 14.187.%d.%d
Source: Initial sample	String containing an IP format string found: 14.188.%d.%d
Source: Initial sample	String containing an IP format string found: 14.189.%d.%d
Source: Initial sample	String containing an IP format string found: 14.190.%d.%d
Source: Initial sample	String containing an IP format string found: 14.191.%d.%d
Source: Initial sample	String containing an IP format string found: 45.121.%d.%d
Source: Initial sample	String containing an IP format string found: 45.120.%d.%d
Source: Initial sample	String containing an IP format string found: 45.115.%d.%d
Source: Initial sample	String containing an IP format string found: 43.252.%d.%d
Source: Initial sample	String containing an IP format string found: 43.240.%d.%d
Source: Initial sample	String containing an IP format string found: 41.174.%d.%d
Source: Initial sample	String containing an IP format string found: 45.127.%d.%d
Source: Initial sample	String containing an IP format string found: 103.30.%d.%d
Source: Initial sample	String containing an IP format string found: 123.16.%d.%d
Source: Initial sample	String containing an IP format string found: 202.44.%d.%d
Source: Initial sample	String containing an IP format string found: 116.93.%d.%d
Source: Initial sample	String containing an IP format string found: 41.253.%d.%d
Source: Initial sample	String containing an IP format string found: 117.173.%d.%d
Source: Initial sample	String containing an IP format string found: 113.190.%d.%d
Source: Initial sample	String containing an IP format string found: 112.196.%d.%d
Source: Initial sample	String containing an IP format string found: 113.178.%d.%d
Source: Initial sample	String containing an IP format string found: 112.45.%d.%d
Source: Initial sample	String containing an IP format string found: 183.223.%d.%d
Source: Initial sample	String containing an IP format string found: 116.71.%d.%d
Source: Initial sample	String containing an IP format string found: 103.44.%d.%d
Source: Initial sample	String containing an IP format string found: 110.235.%d.%d
Source: Initial sample	String containing an IP format string found: 124.253.%d.%d
Source: Initial sample	String containing an IP format string found: 211.237.%d.%d
Source: Initial sample	String containing an IP format string found: 117.175.%d.%d
Source: Initial sample	String containing an IP format string found: 111.9.%d.%d
Source: Initial sample	String containing an IP format string found: 222.252.%d.%d
Source: Initial sample	String containing an IP format string found: 113.174.%d.%d
Source: Initial sample	String containing an IP format string found: 113.160.%d.%d
Source: Initial sample	String containing an IP format string found: 113.161.%d.%d
Source: Initial sample	String containing an IP format string found: 113.162.%d.%d
Source: Initial sample	String containing an IP format string found: 113.163.%d.%d
Source: Initial sample	String containing an IP format string found: 113.164.%d.%d
Source: Initial sample	String containing an IP format string found: 113.165.%d.%d

Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.146.254
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.146.254
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.146.254
Source: unknown	TCP traffic detected without corresponding DNS query: 192.227.146.254
Source: unknown	TCP traffic detected without corresponding DNS query: 43.230.36.24
Source: unknown	TCP traffic detected without corresponding DNS query: 103.255.113.114
Source: unknown	TCP traffic detected without corresponding DNS query: 103.20.97.163
Source: unknown	TCP traffic detected without corresponding DNS query: 222.252.205.59
Source: unknown	TCP traffic detected without corresponding DNS query: 14.186.107.143
Source: unknown	TCP traffic detected without corresponding DNS query: 14.180.172.72
Source: unknown	TCP traffic detected without corresponding DNS query: 43.230.36.24
Source: unknown	TCP traffic detected without corresponding DNS query: 183.223.106.10
Source: unknown	TCP traffic detected without corresponding DNS query: 103.255.113.114
Source: unknown	TCP traffic detected without corresponding DNS query: 14.173.171.32
Source: unknown	TCP traffic detected without corresponding DNS query: 103.30.157.102
Source: unknown	TCP traffic detected without corresponding DNS query: 103.20.97.163
Source: unknown	TCP traffic detected without corresponding DNS query: 222.252.205.59
Source: unknown	TCP traffic detected without corresponding DNS query: 103.225.7.248
Source: unknown	TCP traffic detected without corresponding DNS query: 88.105.47.29
Source: unknown	TCP traffic detected without corresponding DNS query: 14.186.107.143
Source: unknown	TCP traffic detected without corresponding DNS query: 117.173.9.232
Source: unknown	TCP traffic detected without corresponding DNS query: 14.180.172.72
Source: unknown	TCP traffic detected without corresponding DNS query: 183.223.106.10
Source: unknown	TCP traffic detected without corresponding DNS query: 36.32.243.193
Source: unknown	TCP traffic detected without corresponding DNS query: 14.173.171.32
Source: unknown	TCP traffic detected without corresponding DNS query: 162.12.82.156
Source: unknown	TCP traffic detected without corresponding DNS query: 103.30.157.102
Source: unknown	TCP traffic detected without corresponding DNS query: 123.21.26.55
Source: unknown	TCP traffic detected without corresponding DNS query: 103.225.7.248
Source: unknown	TCP traffic detected without corresponding DNS query: 137.59.199.146
Source: unknown	TCP traffic detected without corresponding DNS query: 88.105.47.29
Source: unknown	TCP traffic detected without corresponding DNS query: 43.228.72.151
Source: unknown	TCP traffic detected without corresponding DNS query: 117.173.9.232
Source: unknown	TCP traffic detected without corresponding DNS query: 14.183.185.41
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.91.185
Source: unknown	TCP traffic detected without corresponding DNS query: 36.32.243.193
Source: unknown	TCP traffic detected without corresponding DNS query: 103.14.219.92
Source: unknown	TCP traffic detected without corresponding DNS query: 162.12.82.156
Source: unknown	TCP traffic detected without corresponding DNS query: 211.237.237.182
Source: unknown	TCP traffic detected without corresponding DNS query: 123.21.26.55
Source: unknown	TCP traffic detected without corresponding DNS query: 123.17.46.71
Source: unknown	TCP traffic detected without corresponding DNS query: 137.59.199.146
Source: unknown	TCP traffic detected without corresponding DNS query: 137.59.252.124
Source: unknown	TCP traffic detected without corresponding DNS query: 43.228.72.151
Source: unknown	TCP traffic detected without corresponding DNS query: 14.186.233.238
Source: unknown	TCP traffic detected without corresponding DNS query: 14.183.185.41
Source: unknown	TCP traffic detected without corresponding DNS query: 104.55.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.91.185
Source: unknown	TCP traffic detected without corresponding DNS query: 41.252.40.148
Source: unknown	TCP traffic detected without corresponding DNS query: 103.14.219.92

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: na.elf	String found in binary or memory: http://192.227.146.254/deltahaxsyeaok.sh;
Source: na.elf	String found in binary or memory: http://code.google.com/appengine;
Source: na.elf	String found in binary or memory: http://majestic12.co.uk/bot.php?
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)Mozilla/5.0
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)findlinks/1.1.5-beta7
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)findlinks/1.1.6-beta1
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)findlinks/1.1.6-beta4
Source: na.elf	String found in binary or memory: http://wortschatz.uni-leipzig.de/findlinks/)findlinks/1.1.6-beta6
Source: na.elf	String found in binary or memory: http://www.brandwatch.net)
Source: na.elf	String found in binary or memory: http://www.brandwatch.net)Mozilla/5.0
Source: na.elf	String found in binary or memory: http://www.majestic12.co.uk/bot.php?
Source: na.elf	String found in binary or memory: http://www.mojeek.com/bot.html)

Sample and/or dropped files contains symbols with suspicious names

Source: na.elf	ELF static info symbol of initial sample: PhoneScan
Source: na.elf	ELF static info symbol of initial sample: PhoneScanner
Source: na.elf	ELF static info symbol of initial sample: Phonepid
Source: na.elf	ELF static info symbol of initial sample: passwords
Source: na.elf	ELF static info symbol of initial sample: phone
Source: na.elf	ELF static info symbol of initial sample: phonepayload
Source: na.elf	ELF static info symbol of initial sample: usernames

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: telnet:oginsernameasswordLinux9615-cdpnvalidailedncorrecteniedrroroodbyebadbusybox$#Device Repped/dev/netslink//tmp//var//dev//var/run//dev/shm//mnt//boot//usr//opt/192.227.146.254:6667/usr/dict/wordsr(null)buf: %s
Source: Initial sample	String containing 'busybox' found: busybox*
Source: Initial sample	String containing 'busybox' found: tFailed opening raw socket.Failed setting raw headers mode.all,synrstfinackpshInvalid flag "%s"jackmybusyboxbinsextftparmmipselmipsmips64i686sparcsh4botjackmeoffhackzbruvmomentumhakaiyowaikatanaa-r-ma-r-m-4a-r-m-7m-i-p-sSakura*
Source: Initial sample	String containing 'busybox' found: pkill -9 busybox
Source: Initial sample	String containing 'busybox' found: rm -rf /tmp/* /var/* /var/run/* /var/tmp/rm -rf /var/log/wtmphistory -c;history -wrm -rf /tmp/history -crm -rf ~/.bash_historyrm -rf /bin/netstathistory -wpkill -9 busyboxpkill -9 perlservice iptables stop/sbin/iptables -F;/sbin/iptables -XPONG!GETLOCALIPMy IP: %sBOTKILL[BOTKILLER] [STARTED] [%s]SCANNEROFFONUDPHTTPHTTP %s Flooding %s:%d for %d secondsPHONESTDTCPKILLATTKLOLNOGTFO8.8.8.8/proc/net/route00000000HITTA[CONNECTED] [%s] [%s]

Source: classification engine

Classification label: mal88.spre.troj.linELF@0/1@2/0

Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/brk.S
Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/crt1.S
Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/crti.S
Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/crtn.S
Source: na.elf	ELF static info symbol of initial sample: libc/sysdeps/linux/powerpc/vfork.S

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/na.elf (PID: 5519)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5519.1.00005594f51ae000.00005594f525e000.rw-.sdmp, na.elf, 5521.1.00005594f51ae000.00005594f525e000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: na.elf, 5519.1.00005594f51ae000.00005594f525e000.rw-.sdmp, na.elf, 5521.1.00005594f51ae000.00005594f525e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: na.elf, 5519.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.DZaULx\
Source: na.elf, 5519.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp, na.elf, 5521.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: na.elf, 5519.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp, na.elf, 5521.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp	Binary or memory string: +x86_64/usr/bin/qemu-ppc/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5519.1.00007ffd4dca2000.00007ffd4dcc3000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.DZaULx

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match

File source: na.elf, type: SAMPLE

Sample contains strings that are user agent strings indicative of HTTP manipulation

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match

File source: na.elf, type: SAMPLE

ID:	1528119
Product:	CloudBasic
Start time:	16:13:00
Start date:	07.10.2024
Sample:	na.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	99b392663b706132ff5084ebb8efda50
SHA1:	d8ebf610367735a7fbe7178dfa45c93d47bf3ad4
SHA256:	1a532d07e86c2f6c57bebe91797859088241391573d1863e52913bec109876c0
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
na.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Spreading

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Spreading

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Linux Analysis Report
na.elf

Malware Threat Intel
Provided by