Linux Analysis Report
na.elf

Overview

General Information

Sample name: na.elf
Analysis ID: 1532147
MD5: 455337989426e790c12683d911783dc5
SHA1: 6676d5c971389710b5a522b2fc2385a4de29f122
SHA256: 17f1ca3fd8f8f36c1b2585fe38298d69ee693153c950f21f2f224d1555a2ccf7
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Contains symbols with names commonly found in malware
Found strings indicative of a multi-platform dropper
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: na.elf Virustotal: Detection: 21% Perma Link
Found strings indicative of a multi-platform dropper
Source: na.elf String: /lib//sbin//usr//proc//exeself/fd/fd/socket:/proc/proc//exewgetcurlftpmountabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/proc/net/tcp/proc//exe/fd//proc//maps/lib/usr/lib
Sample listens on a socket
Source: /tmp/na.elf (PID: 5490) Socket: 127.0.0.1:45295 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 172.234.244.102
Source: unknown TCP traffic detected without corresponding DNS query: 172.234.244.102
Source: unknown TCP traffic detected without corresponding DNS query: 172.234.244.102
Source: unknown TCP traffic detected without corresponding DNS query: 172.234.244.102
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 172.234.244.102
Source: unknown TCP traffic detected without corresponding DNS query: 172.234.244.102
Source: unknown TCP traffic detected without corresponding DNS query: 172.234.244.102
Source: unknown TCP traffic detected without corresponding DNS query: 172.234.244.102
Source: unknown TCP traffic detected without corresponding DNS query: 172.234.244.102
Source: global traffic DNS traffic detected: DNS query: dvrhelpers.su
Source: unknown Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary
barindex
Contains symbols with names commonly found in malware
Source: ELF static info symbol of initial sample Name: add_attack
Source: ELF static info symbol of initial sample Name: attack_add_pid
Source: ELF static info symbol of initial sample Name: attack_init
Source: ELF static info symbol of initial sample Name: attack_ongoing
Source: ELF static info symbol of initial sample Name: attack_parse
Source: ELF static info symbol of initial sample Name: attack_remove_id
Source: ELF static info symbol of initial sample Name: attack_start
Source: ELF static info symbol of initial sample Name: attack_stop
Source: ELF static info symbol of initial sample Name: attacks_ack
Source: ELF static info symbol of initial sample Name: attacks_gre
Source: classification engine Classification label: mal52.linELF@0/0@1/0
Source: na.elf ELF static info symbol of initial sample: /home/landley/aboriginal/aboriginal/build/temp-mipsel/gcc-core/gcc/libgcc2.c
Source: na.elf ELF static info symbol of initial sample: /home/landley/aboriginal/aboriginal/build/temp-mipsel/gcc-core/gcc/libgcc2.c
Source: na.elf ELF static info symbol of initial sample: /home/landley/aboriginal/aboriginal/build/temp-mipsel/gcc-core/gcc/libgcc2.h
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/na.elf (PID: 5490) Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5490.1.000055c0cfde3000.000055c0cfe6a000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: na.elf, 5490.1.000055c0cfde3000.000055c0cfe6a000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: na.elf, 5490.1.00007ffcd6f70000.00007ffcd6f91000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel
Source: na.elf, 5490.1.00007ffcd6f70000.00007ffcd6f91000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false
172.234.244.102
 unknown United States
20940 AKAMAI-ASN1EU false

Contacted Domains

Name IP Active
dvrhelpers.su unknown unknown