Linux Analysis Report
SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf

ID:	1531110
Product:	CloudBasic
Start time:	21:28:19
Start date:	10.10.2024
Sample:	SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	bb7cc7c4e17cdd054a336f4d5aeaad62
SHA1:	5b64d9bfe4ca4bb4c776ceb0b7debed89f244534
SHA256:	e7eea6500b08adcb507695a7149adb51b3fd9c3e2e343e63a4c8aecc2a0a6ced
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf

ReversingLabs: Detection: 15%

Networking

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@2/0

Persistence and Installation Behavior

Source: /usr/bin/dash (PID: 5468)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Ze5FXhQGmx /tmp/tmp.zyEcEV5Ve8 /tmp/tmp.ePWjI8w4A6			Jump to behavior
Source: /usr/bin/dash (PID: 5469)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Ze5FXhQGmx /tmp/tmp.zyEcEV5Ve8 /tmp/tmp.ePWjI8w4A6			Jump to behavior

Malware Analysis System Evasion

Source: /tmp/SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf (PID: 5481)

Queries kernel information via 'uname':

Jump to behavior

Source: SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf, 5481.1.00007ffffc8dc000.00007ffffc8fd000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips64
Source: SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf, 5481.1.000055d120983000.000055d120a31000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips641RelativeDistinguishedName
Source: SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf, 5481.1.000055d120983000.000055d120a31000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips64
Source: SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf, 5481.1.00007ffffc8dc000.00007ffffc8fd000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips64/tmp/SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf
Source: SecuriteInfo.com.Trojan.Linux.GenericKD.24576.12596.14920.elf, 5481.1.00007ffffc8dc000.00007ffffc8fd000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped