Linux Analysis Report
4LbWi40g57.elf

Overview

General Information

Sample name: 4LbWi40g57.elf
renamed because original name is a hash value
Original sample name: 47c38dfe1d4d3661c6216b5be3b48bea.elf
Analysis ID: 1529269
MD5: 47c38dfe1d4d3661c6216b5be3b48bea
SHA1: 64b780eddfabbf48d8f8c29cfa4ece8f5b93d092
SHA256: ef069f81e2fbf94c1bba6f5de1acf95ad5b0b236dd8a931765b2dd9b0a877c3f
Tags: 32armelfmirai
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 4LbWi40g57.elf ReversingLabs: Detection: 31%
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:36318 -> 154.223.21.228:7193
Sample listens on a socket
Source: /tmp/4LbWi40g57.elf (PID: 5433) Socket: 127.0.0.1:1234 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown UDP traffic detected without corresponding DNS query: 185.84.81.194
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: subcarrace.indy
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknown Network traffic detected: HTTP traffic on port 48202 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/4LbWi40g57.elf (PID: 5435) SIGKILL sent: pid: 884, result: successful Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) SIGKILL sent: pid: 1691, result: successful Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) SIGKILL sent: pid: 1847, result: successful Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) SIGKILL sent: pid: 1866, result: successful Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) SIGKILL sent: pid: 5477, result: successful Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) SIGKILL sent: pid: 5479, result: successful Jump to behavior
Source: classification engine Classification label: mal48.linELF@0/1@3/0
Enumerates processes within the "proc" file system
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/914/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3635/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3635/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/917/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/2/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/2/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/1588/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/4/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/4/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/6/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/6/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/7/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/7/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/8/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/8/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/800/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/9/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/9/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/802/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/802/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/803/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/803/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3420/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3420/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/1482/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/1480/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/1238/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/1238/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3413/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3413/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/1475/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/936/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/936/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/816/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/816/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3310/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3310/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3424/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3424/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3300/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3300/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3429/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3429/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3680/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3680/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3681/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3681/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3442/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3442/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3315/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3315/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3434/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3434/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3678/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3678/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3679/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3679/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5510/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3208/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3208/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5508/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5509/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3327/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3327/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3448/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3448/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3203/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3203/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5502/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/726/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/726/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/727/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/727/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5505/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5506/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3209/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3209/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5507/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5520/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/2496/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/2496/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3100/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3100/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3342/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3342/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3220/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3220/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/5519/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3336/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3336/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3455/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3455/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3212/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/3212/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/855/cmdline Jump to behavior
Source: /tmp/4LbWi40g57.elf (PID: 5435) File opened: /proc/855/cmdline Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/4LbWi40g57.elf (PID: 5433) Queries kernel information via 'uname': Jump to behavior
Source: 4LbWi40g57.elf, 5433.1.000056446f177000.000056446f2c6000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: 4LbWi40g57.elf, 5433.1.00007ffcefc56000.00007ffcefc77000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: 4LbWi40g57.elf, 5433.1.000056446f177000.000056446f2c6000.rw-.sdmp Binary or memory string: oDV!/etc/qemu-binfmt/arm
Source: 4LbWi40g57.elf, 5433.1.00007ffcefc56000.00007ffcefc77000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/4LbWi40g57.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/4LbWi40g57.elf

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false
154.223.21.228
 subcarrace.indy Seychelles
134705 ITACE-AS-APItaceInternationalLimitedHK false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true
subcarrace.indy 154.223.21.228 true