Click to jump to signature section
Source: na.elf | ReversingLabs: Detection: 57% |
Source: na.elf | Virustotal: Detection: 65% | Perma Link |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | DNS traffic detected: DNS query: daisy.ubuntu.com |
Source: na.elf | String found in binary or memory: http://127.0.0.1 |
Source: na.elf | String found in binary or memory: http://127.0.0.1sendcmd |
Source: na.elf | String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s) |
Source: na.elf | String found in binary or memory: http://ipinfo.io/ip |
Source: na.elf | String found in binary or memory: http://upx.sf.net |
Source: na.elf, type: SAMPLE | Matched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown |
Source: 5489.1.00007f6cd0400000.00007f6cd0422000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown |
Source: LOAD without section mappings | Program segment: 0x400000 |
Source: Initial sample | String containing 'busybox' found: busybox |
Source: Initial sample | String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s |
Source: na.elf, type: SAMPLE | Matched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28 |
Source: 5489.1.00007f6cd0400000.00007f6cd0422000.r-x.sdmp, type: MEMORY | Matched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28 |
Source: classification engine | Classification label: mal76.troj.evad.linELF@0/0@2/0 |
Source: initial sample | String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample | String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $ |
Source: initial sample | String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $ |
Source: na.elf | Submission file: segment LOAD with 7.8156 entropy (max. 8.0) |
Source: /tmp/na.elf (PID: 5489) | Queries kernel information via 'uname': | Jump to behavior |
Source: na.elf, 5489.1.00005555f5b88000.00005555f5c0f000.rw-.sdmp | Binary or memory string: UU!/etc/qemu-binfmt/mips |
Source: na.elf, 5489.1.00007ffca3bbf000.00007ffca3be0000.rw-.sdmp | Binary or memory string: ix86_64/usr/bin/qemu-mips/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf |
Source: na.elf, 5489.1.00005555f5b88000.00005555f5c0f000.rw-.sdmp | Binary or memory string: /etc/qemu-binfmt/mips |
Source: na.elf, 5489.1.00007ffca3bbf000.00007ffca3be0000.rw-.sdmp | Binary or memory string: /usr/bin/qemu-mips |
Source: na.elf, 5489.1.00007ffca3bbf000.00007ffca3be0000.rw-.sdmp | Binary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped |
Source: Yara match | File source: na.elf, type: SAMPLE |
Source: Yara match | File source: na.elf, type: SAMPLE |