Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1532421
MD5:	0db5d6760b8306f85fb5ba89a794002e
SHA1:	c04eaab09aa7888f39c4330442c6f53a923d591e
SHA256:	7cd48d762a343b483d0ce857e5d2e30fc795d11a20f1827679b9a05d5ab75c3f
Tags:	elfuser-abuse_ch
Infos:

Detection

Xmrig

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Executes the "crontab" command typically for achieving persistence

Executes the "iptables" command to insert, remove and/or manipulate rules

Found strings related to Crypto-Mining

Sample is packed with UPX

Sample tries to persist itself using cron

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "iptables" command used for managing IP filtering and manipulation

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Reads the 'hosts' file potentially containing internal network hosts

Sample contains only a LOAD segment without any section mappings

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XMRIG		No Attribution	https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: na.elf	ReversingLabs: Detection: 28%
Source: na.elf	Virustotal: Detection: 13%			Perma Link

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 5809.1.00007f3b2bb76000.00007f3b2bead000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5809, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: na.elf, 5809.1.00007f3b2bb76000.00007f3b2bead000.r-x.sdmp	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: na.elf, 5809.1.00007f3b2bb76000.00007f3b2bead000.r-x.sdmp	String found in binary or memory: cryptonight/0
Source: na.elf, 5809.1.00007f3b2bb76000.00007f3b2bead000.r-x.sdmp	String found in binary or memory: stratum+tcp://

Reads CPU information from /proc indicative of miner or evasive malware

Source: /tmp/na.elf (PID: 5809)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /tmp/na.elf (PID: 5811)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Networking

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 5840)

Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p tcp --dport 35793 -j ACCEPT

Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5840)

Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p tcp --dport 35793 -j ACCEPT

Jump to behavior

Reads the 'hosts' file potentially containing internal network hosts

Source: /tmp/na.elf (PID: 5811)

Reads hosts file: /etc/hosts

Jump to behavior

Sample listens on a socket

Source: /tmp/na.elf (PID: 5811)

Socket: 0.0.0.0:35793

Jump to behavior

Source: na.elf	String found in binary or memory: http://upx.sf.net
Source: na.elf, 5809.1.00007f3b2bb76000.00007f3b2bead000.r-x.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: na.elf, 5809.1.00007f3b2bb76000.00007f3b2bead000.r-x.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: na.elf, 5809.1.00007f3b2bb76000.00007f3b2bead000.r-x.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x0

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/na.elf (PID: 5811)	SIGKILL sent: pid: 5794, result: successful			Jump to behavior
Source: /tmp/na.elf (PID: 5811)	SIGKILL sent: pid: 5843, result: successful			Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.mine.linELF@0/3@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 4.23 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Executes the "crontab" command typically for achieving persistence

Source: /bin/sh (PID: 5817)	Crontab executable: /usr/bin/crontab -> crontab -r			Jump to behavior
Source: /bin/sh (PID: 5819)	Crontab executable: /usr/bin/crontab -> crontab -			Jump to behavior

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 5840)

Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -I INPUT -p tcp --dport 35793 -j ACCEPT

Jump to behavior

Sample tries to persist itself using cron

Source: /usr/bin/crontab (PID: 5819)	File: /var/spool/cron/crontabs/tmp.JjIApe			Jump to behavior
Source: /usr/bin/crontab (PID: 5819)	File: /var/spool/cron/crontabs/root			Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3761/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3761/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3761/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3761/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3761/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/3873/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/na.elf (PID: 5811)	File opened: /proc/10/cmdline	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/na.elf (PID: 5813)	Shell command executed: sh -c "command -v crontab >/dev/null 2>&1"	Jump to behavior
Source: /tmp/na.elf (PID: 5815)	Shell command executed: sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/na.elf\" \| crontab -"	Jump to behavior
Source: /tmp/na.elf (PID: 5820)	Shell command executed: sh -c "command -v php >/dev/null 2>&1"	Jump to behavior
Source: /tmp/na.elf (PID: 5822)	Shell command executed: sh -c "command -v nginx >/dev/null 2>&1"	Jump to behavior
Source: /tmp/na.elf (PID: 5824)	Shell command executed: sh -c "which apache2"	Jump to behavior
Source: /tmp/na.elf (PID: 5827)	Shell command executed: sh -c "which httpd"	Jump to behavior
Source: /tmp/na.elf (PID: 5838)	Shell command executed: sh -c "iptables -I INPUT -p tcp --dport 35793 -j ACCEPT >/dev/null 2>&1"	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 5840)

Iptables executable: /usr/sbin/iptables -> iptables -I INPUT -p tcp --dport 35793 -j ACCEPT

Jump to behavior

Reads system information from the proc file system

Source: /tmp/na.elf (PID: 5809)	Reads from proc file: /proc/cpuinfo			Jump to behavior
Source: /tmp/na.elf (PID: 5811)	Reads from proc file: /proc/meminfo			Jump to behavior

ELF contains segments with high entropy indicating compressed/encrypted content

Source: na.elf	Submission file: segment LOAD with 7.8989 entropy (max. 8.0)
Source: na.elf	Submission file: segment LOAD with 7.9998 entropy (max. 8.0)

Reads CPU information from /proc indicative of miner or evasive malware

Source: /tmp/na.elf (PID: 5809)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Reads CPU information from /sys indicative of miner or evasive malware

Source: /tmp/na.elf (PID: 5811)

Reads CPU info from /sys: /sys/devices/system/cpu/online

Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/na.elf (PID: 5809)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/na.elf (PID: 5811)	Queries kernel information via 'uname':			Jump to behavior

Source: na.elf, 5809.1.00007ffceec0c000.00007ffceec2d000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5809.1.000055f479104000.000055f47929a000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: na.elf, 5809.1.000055f479104000.000055f47929a000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5809.1.00007ffceec0c000.00007ffceec2d000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Screenshots

No Screenshots

Network Map

⊘No contacted IP infos

ID:	1532421
Product:	CloudBasic
Start time:	07:07:44
Start date:	13.10.2024
Sample:	na.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	0db5d6760b8306f85fb5ba89a794002e
SHA1:	c04eaab09aa7888f39c4330442c6f53a923d591e
SHA256:	7cd48d762a343b483d0ce857e5d2e30fc795d11a20f1827679b9a05d5ab75c3f
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages	very short file (no magic)	ECCBC87E4B5CE2FE28308FD9F2A7BAF3	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	ASCII text, with no line terminators	537D9B6C927223C796CAC288CCED29DF	EA10E810F96FCA6858E37FDA9832ACE147EED87C	0D21AE129A64E1D19E4A94DFCA3A67C777E17374E9D4CA2F74B65647A88119EA
/var/spool/cron/crontabs/tmp.JjIApe	ASCII text	03D1D1E8982AEDB377B9EA5465E7BC89	6140C2CFAB2725C796639F0B2492B435D1E166A2	FE206D89AB7339EBDEB6EBDF29ED5062CA4F102B253E9B997DCEB3C8C0D09963

Linux Analysis Report
na.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Linux Analysis Report
na.elf

Malware Threat Intel
Provided by