Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1528718
MD5: d67cbbfaa0ff94b44135c640cf1f3209
SHA1: 44172da72c648d336d251c2a2c7b6559743994f2
SHA256: c26d997f4c050caf08661d08183b17d3ecaf2d1ecbfe0a029ad0cbf7de79bdde
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Deletes system log files
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: na.elf ReversingLabs: Detection: 39%
Source: na.elf Virustotal: Detection: 39% Perma Link
Found strings indicative of a multi-platform dropper
Source: na.elf String: /proc//exewgetinitcurltftp/fdsocketproc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin/

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 156.244.16.207 ports 3,4,6,7,9,49376
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:45630 -> 156.244.16.207:49376
Sample listens on a socket
Source: /tmp/na.elf (PID: 5579) Socket: 127.0.0.1:1234 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown TCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknown UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal60.troj.evad.linELF@0/0@3/0

Data Obfuscation
barindex
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Source: /tmp/na.elf (PID: 5583) File: /etc/config Jump to behavior
Creates hidden files and/or directories
Source: /tmp/na.elf (PID: 5583) Directory: /root/.cache Jump to behavior
Source: /tmp/na.elf (PID: 5583) Directory: /root/.ssh Jump to behavior
Source: /tmp/na.elf (PID: 5583) Directory: /root/.config Jump to behavior
Source: /tmp/na.elf (PID: 5583) Directory: /root/.local Jump to behavior
Source: /tmp/na.elf (PID: 5583) Directory: /tmp/.X11-unix Jump to behavior
Source: /tmp/na.elf (PID: 5583) Directory: /tmp/.Test-unix Jump to behavior
Source: /tmp/na.elf (PID: 5583) Directory: /tmp/.font-unix Jump to behavior
Source: /tmp/na.elf (PID: 5583) Directory: /tmp/.ICE-unix Jump to behavior
Source: /tmp/na.elf (PID: 5583) Directory: /tmp/.XIM-unix Jump to behavior
Source: /tmp/na.elf (PID: 5583) Directory: /etc/.java Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes system log files
Source: /tmp/na.elf (PID: 5583) Log files deleted: /var/log/kern.log Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/na.elf (PID: 5579) Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5579.1.0000556c54a77000.0000556c54bc5000.rw-.sdmp Binary or memory string: TlU!/etc/qemu-binfmt/arm
Source: na.elf, 5579.1.00007ffea8ae9000.00007ffea8b0a000.rw-.sdmp Binary or memory string: (2gx86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5579.1.0000556c54a77000.0000556c54bc5000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5579.1.00007ffea8ae9000.00007ffea8b0a000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
156.244.16.207
 unknown Seychelles
132839 POWERLINE-AS-APPOWERLINEDATACENTERHK true
116.203.104.203
 unknown Germany
24940 HETZNER-ASDE false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true