Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1528122
MD5: 975118b578c49f90bbea29fbbb1e9571
SHA1: e3284871c6a307a1001be651d370e0ad2c85145e
SHA256: 4c9d16b64450e2cb181d1b4948ed8a3633571fc995e11e732c64cb795b12b73b
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Executes commands using a shell command-line interpreter
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: na.elf ReversingLabs: Detection: 31%

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 56550 -> 999
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:56550 -> 129.152.30.246:999
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.30.246
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknown Network traffic detected: HTTP traffic on port 46540 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal52.troj.linELF@0/0@2/0
Executes commands using a shell command-line interpreter
Source: /tmp/na.elf (PID: 5504) Shell command executed: sh -c "]0;Central Control Terminal - 54 server(s) connected" Jump to behavior
Source: submitted sample Stderr: sh: 1: Syntax error: "(" unexpected: exit code = 0

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 56550 -> 999
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/na.elf (PID: 5500) Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5500.1.00007ffcf6ead000.00007ffcf6ece000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5500.1.0000559a3617f000.0000559a362ad000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: na.elf, 5500.1.0000559a3617f000.0000559a362ad000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5500.1.00007ffcf6ead000.00007ffcf6ece000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false
129.152.30.246
 unknown United States
14506 ORCL-ASHBURN3US false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true