Linux Analysis Report
na.elf

ID:	1532515
Product:	CloudBasic
Start time:	15:23:46
Start date:	13.10.2024
Sample:	na.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	00a9ae1db130ee9c421bda3d63acaa9e
SHA1:	4e54df2cd570a13dcc2b9990fa3fe2623bca3ba4
SHA256:	62e098592f3d6467df64e3cf1d86880a74431ab9f06b96bb2b15b4b621f73836
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

Spreading

Source: na.elf	String: ash|login|wget|curl|tftp|ntpdate
Source: na.elf	String: '/proc//exe|ash|login|wget|curl|tftp|ntpdate/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin/

Networking

Source: global traffic

TCP traffic: 38.60.249.66 ports 2,3,6,7,8,32876

Source: global traffic

TCP traffic: 192.168.2.13:32896 -> 38.60.249.66:32876

Source: /tmp/na.elf (PID: 5488)

Socket: 127.0.0.1:1234

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: eighteen.pirate
Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.evad.linELF@0/0@3/0

Data Obfuscation

Source: /tmp/na.elf (PID: 5494)

File: /etc/config

Jump to behavior

Persistence and Installation Behavior

Source: /tmp/na.elf (PID: 5494)	Directory: /root/.cache			Jump to behavior
Source: /tmp/na.elf (PID: 5494)	Directory: /root/.ssh			Jump to behavior
Source: /tmp/na.elf (PID: 5494)	Directory: /root/.config			Jump to behavior
Source: /tmp/na.elf (PID: 5494)	Directory: /root/.local			Jump to behavior
Source: /tmp/na.elf (PID: 5494)	Directory: /tmp/.X11-unix			Jump to behavior
Source: /tmp/na.elf (PID: 5494)	Directory: /tmp/.Test-unix			Jump to behavior
Source: /tmp/na.elf (PID: 5494)	Directory: /tmp/.font-unix			Jump to behavior
Source: /tmp/na.elf (PID: 5494)	Directory: /tmp/.ICE-unix			Jump to behavior
Source: /tmp/na.elf (PID: 5494)	Directory: /tmp/.XIM-unix			Jump to behavior
Source: /tmp/na.elf (PID: 5494)	Directory: /etc/.java			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: /tmp/na.elf (PID: 5494)

Log files deleted: /var/log/kern.log

Jump to behavior

Malware Analysis System Evasion

Source: /tmp/na.elf (PID: 5488)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5488.1.0000562990f5c000.0000562991004000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: na.elf, 5488.1.00007ffddc504000.00007ffddc525000.rw-.sdmp	Binary or memory string: 3Xx86_64/usr/bin/qemu-mipsel/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5488.1.00007ffddc504000.00007ffddc525000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: na.elf, 5488.1.0000562990f5c000.0000562991004000.rw-.sdmp	Binary or memory string: )V!/etc/qemu-binfmt/mipsel