Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1532529
MD5:	23f684775cd0ec77dbac5d3b06eaa2a3
SHA1:	1c5dc968afd80b8641c7184a2ff5ab7072de33a7
SHA256:	bb7b5ef114c9ab567852caa806c03672cac7aa3ef1c855609cba74c1b5d77957
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Deletes system log files

Sample tries to access files in /etc/config/ (typical for OpenWRT routers)

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Reads system version information

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: na.elf

ReversingLabs: Detection: 21%

Found strings indicative of a multi-platform dropper

Source: na.elf	String: ash\|login\|wget\|curl\|tftp\|ntpdate
Source: na.elf	String: /proc//exe\|ash\|login\|wget\|curl\|tftp\|ntpdate/fdsocket\|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin/

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 38.60.249.66 ports 3,4,6,7,9,49376

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.13:33626 -> 38.60.249.66:49376

Sample listens on a socket

Source: /tmp/na.elf (PID: 5721)

Socket: 127.0.0.1:1234

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	TCP traffic detected without corresponding DNS query: 38.60.249.66
Source: unknown	UDP traffic detected without corresponding DNS query: 116.203.104.203

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/na.elf (PID: 5723)

SIGKILL sent: pid: 1692, result: successful

Jump to behavior

Source: classification engine

Classification label: mal60.troj.evad.linELF@0/0@2/0

Data Obfuscation

Sample tries to access files in /etc/config/ (typical for OpenWRT routers)

Source: /tmp/na.elf (PID: 5724)

File: /etc/config

Jump to behavior

Creates hidden files and/or directories

Source: /tmp/na.elf (PID: 5724)	Directory: /root/.cache	Jump to behavior
Source: /tmp/na.elf (PID: 5724)	Directory: /root/.ssh	Jump to behavior
Source: /tmp/na.elf (PID: 5724)	Directory: /root/.config	Jump to behavior
Source: /tmp/na.elf (PID: 5724)	Directory: /root/.local	Jump to behavior
Source: /tmp/na.elf (PID: 5724)	Directory: /tmp/.X11-unix	Jump to behavior
Source: /tmp/na.elf (PID: 5724)	Directory: /tmp/.Test-unix	Jump to behavior
Source: /tmp/na.elf (PID: 5724)	Directory: /tmp/.font-unix	Jump to behavior
Source: /tmp/na.elf (PID: 5724)	Directory: /tmp/.ICE-unix	Jump to behavior
Source: /tmp/na.elf (PID: 5724)	Directory: /tmp/.XIM-unix	Jump to behavior
Source: /tmp/na.elf (PID: 5724)	Directory: /etc/.java	Jump to behavior

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /usr/lib/snapd/snap-failure (PID: 5746)

Systemctl executable: /usr/bin/systemctl -> systemctl stop snapd.socket

Jump to behavior

Reads system version information

Source: /usr/lib/snapd/snap-failure (PID: 5732)

Reads version info: /proc/version

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes system log files

Source: /tmp/na.elf (PID: 5724)

Log files deleted: /var/log/kern.log

Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/na.elf (PID: 5721)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5721.1.00005585d0fd9000.00005585d1089000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: na.elf, 5721.1.00007fffe29a8000.00007fffe29c9000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5721.1.00005585d0fd9000.00005585d1089000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: na.elf, 5721.1.00007fffe29a8000.00007fffe29c9000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
116.203.104.203	unknown	Germany		24940	HETZNER-ASDE	false
38.60.249.66	unknown	United States		174	COGENT-174US	true

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.25	true

ID:	1532529
Product:	CloudBasic
Start time:	15:37:52
Start date:	13.10.2024
Sample:	na.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	23f684775cd0ec77dbac5d3b06eaa2a3
SHA1:	1c5dc968afd80b8641c7184a2ff5ab7072de33a7
SHA256:	bb7b5ef114c9ab567852caa806c03672cac7aa3ef1c855609cba74c1b5d77957
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
na.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
na.elf