Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1528915
MD5: 2ba8a85df5d3b24700fc438197e1f47c
SHA1: c5c196a4886342f63b81d683d8edf32f12fc3ac7
SHA256: 55f624875d6c2f35913ece345e1894b55c9060b8ed112ca70e7c9e2aa46f75a7
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads system version information
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Networking
barindex
Opens /sys/class/net/* files useful for querying network interface information
Source: /tmp/na.elf (PID: 5703) Opens: /sys/class/net/ Jump to behavior
Source: /tmp/na.elf (PID: 5703) Opens: /sys/class/net/lo/address Jump to behavior
Source: /tmp/na.elf (PID: 5703) Opens: /sys/class/net/ens160/address Jump to behavior
Source: /tmp/na.elf (PID: 5703) Opens: /sys/class/net/ens160/flags Jump to behavior
Source: /tmp/na.elf (PID: 5703) Opens: /sys/class/net/ens160/carrier Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:47052 -> 5.230.228.46:554
Source: global traffic TCP traffic: 192.168.2.13:60912 -> 5.230.122.82:3724
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.228.46
Source: unknown TCP traffic detected without corresponding DNS query: 5.230.122.82
Source: unknown UDP traffic detected without corresponding DNS query: 172.217.192.127
Source: unknown UDP traffic detected without corresponding DNS query: 37.252.191.197
Source: global traffic DNS traffic detected: DNS query: iranistrash.libre
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal52.spyw.evad.linELF@0/0@1/0
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/lib/snapd/snap-failure (PID: 5753) Systemctl executable: /usr/bin/systemctl -> systemctl stop snapd.socket Jump to behavior
Reads system version information
Source: /usr/lib/snapd/snap-failure (PID: 5740) Reads version info: /proc/version Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/na.elf (PID: 5698) File: /tmp/na.elf Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/na.elf (PID: 5698) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/na.elf (PID: 5703) Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5698.1.00005592e25d5000.00005592e263a000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sparc
Source: na.elf, 5698.1.00005592e25d5000.00005592e263a000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: na.elf, 5698.1.00007ffc62ad4000.00007ffc62af5000.rw-.sdmp Binary or memory string: $x86_64/usr/bin/qemu-sparc/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5698.1.00007ffc62ad4000.00007ffc62af5000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sparc

HIPS / PFW / Operating System Protection Evasion
barindex
Performs DNS TXT record lookups
Source: Traffic DNS traffic detected: queries for: iranistrash.libre

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.230.122.82
 unknown Germany
12586 ASGHOSTNETDE false
172.217.192.127
 unknown United States
15169 GOOGLEUS false
5.230.228.46
 unknown Germany
12586 ASGHOSTNETDE false

Contacted Domains

Name IP Active
iranistrash.libre unknown unknown