Source: co.elf |
Malware Configuration Extractor: Gafgyt {"C2 url": "212.224.93.228:666"} |
Source: co.elf |
ReversingLabs: Detection: 71% |
Source: Network traffic |
Suricata IDS: 2847206 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin : 192.168.2.13:37032 -> 212.224.93.228:666 |
Source: global traffic |
TCP traffic: 192.168.2.13:37032 -> 212.224.93.228:666 |
Source: global traffic |
TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.224.93.228 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.125.190.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.125.190.26 |
Source: global traffic |
DNS traffic detected: DNS query: daisy.ubuntu.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 48202 -> 443 |
Source: classification engine |
Classification label: mal88.troj.linELF@0/0@2/0 |
Source: co.elf |
ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm |
Source: co.elf |
ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm |
Source: co.elf |
ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm |
Source: co.elf |
ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm |
Source: co.elf |
ELF static info symbol of initial sample: /home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/lib1funcs.asm |
Source: co.elf |
ELF static info symbol of initial sample: libc/string/arm/_memcpy.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/string/arm/bcopy.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/string/arm/memcpy.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/string/arm/memmove.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/string/arm/memset.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/string/arm/strcmp.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/string/arm/strlen.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/arm/crt1.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/arm/crti.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/arm/crtn.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/arm/sigrestorer.S |
Source: co.elf |
ELF static info symbol of initial sample: libc/sysdeps/linux/arm/vfork.S |
Source: /tmp/co.elf (PID: 5433) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: co.elf, 5433.1.000055fb7e5fd000.000055fb7e72b000.rw-.sdmp, co.elf, 5435.1.000055fb7e5fd000.000055fb7e72b000.rw-.sdmp, co.elf, 5437.1.000055fb7e5fd000.000055fb7e72b000.rw-.sdmp, co.elf, 5448.1.000055fb7e5fd000.000055fb7e72b000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/arm |
Source: co.elf, 5433.1.000055fb7e5fd000.000055fb7e72b000.rw-.sdmp, co.elf, 5435.1.000055fb7e5fd000.000055fb7e72b000.rw-.sdmp, co.elf, 5437.1.000055fb7e5fd000.000055fb7e72b000.rw-.sdmp, co.elf, 5448.1.000055fb7e5fd000.000055fb7e72b000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: co.elf, 5433.1.00007fff09eb4000.00007fff09ed5000.rw-.sdmp, co.elf, 5435.1.00007fff09eb4000.00007fff09ed5000.rw-.sdmp, co.elf, 5437.1.00007fff09eb4000.00007fff09ed5000.rw-.sdmp, co.elf, 5448.1.00007fff09eb4000.00007fff09ed5000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |
Source: co.elf, 5433.1.00007fff09eb4000.00007fff09ed5000.rw-.sdmp, co.elf, 5435.1.00007fff09eb4000.00007fff09ed5000.rw-.sdmp, co.elf, 5437.1.00007fff09eb4000.00007fff09ed5000.rw-.sdmp, co.elf, 5448.1.00007fff09eb4000.00007fff09ed5000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/co.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/co.elf |
Source: Yara match |
File source: co.elf, type: SAMPLE |
Source: Yara match |
File source: co.elf, type: SAMPLE |
Source: Yara match |
File source: 5433.1.00007f78cc017000.00007f78cc02c000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5435.1.00007f78cc017000.00007f78cc02c000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5448.1.00007f78cc017000.00007f78cc02c000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5437.1.00007f78cc017000.00007f78cc02c000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: co.elf PID: 5433, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: co.elf PID: 5435, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: co.elf PID: 5448, type: MEMORYSTR |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; CrOS x86_64 9592.96.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.114 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; Lumia 535) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Mobile Safari/537.36 Edge/14.14393 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Linux; Android 4.4.4; HTC Desire 620 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5 |
Source: Yara match |
File source: co.elf, type: SAMPLE |
Source: Yara match |
File source: co.elf, type: SAMPLE |
Source: Yara match |
File source: 5433.1.00007f78cc017000.00007f78cc02c000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5435.1.00007f78cc017000.00007f78cc02c000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5448.1.00007f78cc017000.00007f78cc02c000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: 5437.1.00007f78cc017000.00007f78cc02c000.r-x.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: co.elf PID: 5433, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: co.elf PID: 5435, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: co.elf PID: 5448, type: MEMORYSTR |