Linux Analysis Report
OIW7aNSHbh.elf

Overview

General Information

Sample name: OIW7aNSHbh.elf
renamed because original name is a hash value
Original sample name: 06df7167beb17e0df77f4cba1913fe30.elf
Analysis ID: 1532256
MD5: 06df7167beb17e0df77f4cba1913fe30
SHA1: 19d69c9a177b1901ca3ca4a76d629aea73589ab8
SHA256: 586a680a3b116460cdb66c709dc5731d40d0364ad22a243d0631351d4d3dfda7
Tags: 32armelfmirai
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: OIW7aNSHbh.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: OIW7aNSHbh.elf Virustotal: Detection: 36% Perma Link
Source: OIW7aNSHbh.elf ReversingLabs: Detection: 52%
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal56.linELF@0/0@2/0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/OIW7aNSHbh.elf (PID: 5529) Queries kernel information via 'uname': Jump to behavior
Source: OIW7aNSHbh.elf, 5529.1.00007ffca4098000.00007ffca40b9000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/OIW7aNSHbh.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/OIW7aNSHbh.elf
Source: OIW7aNSHbh.elf, 5529.1.0000558084ae7000.0000558084c15000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: OIW7aNSHbh.elf, 5529.1.00007ffca4098000.00007ffca40b9000.rw-.sdmp Binary or memory string: qemu: %s: %s
Source: OIW7aNSHbh.elf, 5529.1.00007ffca4098000.00007ffca40b9000.rw-.sdmp Binary or memory string: leqemu: %s: %s
Source: OIW7aNSHbh.elf, 5529.1.0000558084ae7000.0000558084c15000.rw-.sdmp Binary or memory string: Urg.qemu.gdb.arm.sys.regs">
Source: OIW7aNSHbh.elf, 5529.1.0000558084ae7000.0000558084c15000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: OIW7aNSHbh.elf, 5529.1.00007ffca4098000.00007ffca40b9000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: OIW7aNSHbh.elf, 5529.1.0000558084ae7000.0000558084c15000.rw-.sdmp Binary or memory string: rg.qemu.gdb.arm.sys.regs">
windows-stand
No contacted IP infos

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true