Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1528825
MD5: e80f9e86ce0f05c999934c5047ff2312
SHA1: 890a8ecd237edd11622af2e0b4ae7c8fa7e68ab4
SHA256: a3db841fa630a75dde27d23e03c350f14356dbd6f8b03eed535584229d0a677a
Tags: elfMiraiuser-abuse_ch
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: na.elf Virustotal: Detection: 46% Perma Link
Source: na.elf ReversingLabs: Detection: 39%
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: na.elf String found in binary or memory: http://upx.sf.net
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x8000
Source: classification engine Classification label: mal52.evad.linELF@0/0@2/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
ELF contains segments with high entropy indicating compressed/encrypted content
Source: na.elf Submission file: segment LOAD with 7.9718 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/na.elf (PID: 5500) Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5500.1.00007ffce704f000.00007ffce7070000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5500.1.00005647c44f1000.00005647c46bf000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5500.1.00007ffce704f000.00007ffce7070000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: na.elf, 5500.1.00005647c44f1000.00005647c46bf000.rw-.sdmp Binary or memory string: GV!/etc/qemu-binfmt/arm
Source: na.elf, 5500.1.00007ffce704f000.00007ffce7070000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

No Screenshots

No contacted IP infos

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true