Linux Analysis Report
nn.elf

Overview

General Information

Sample name: nn.elf
Analysis ID: 1538228
MD5: ed89809e1f1189724567ce62d636f4c1
SHA1: f1866ab70aba277c2c2f62770f22467f1f18a695
SHA256: c8631e6bf91d813d691e9bdaeb5a74b28779e2c13fc8e50fe62ab36a52e511a9
Tags: elfuser-abuse_ch
Infos:

Detection

Nanominer, Xmrig
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Nanominer
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Executes the "rm" command used to delete files or directories
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

Bitcoin Miner
barindex
Yara detected Nanominer
Source: Yara match File source: nn.elf, type: SAMPLE
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: nn.elf, type: SAMPLE
Found strings related to Crypto-Mining
Source: nn.elf String found in binary or memory: St22_Weak_result_type_implIM7IClientFvRKSt7variantIJ12EthashResult13StratumResult17CryptonightResult15VerusHashResultEERKS1_IJ10EthashTask12StratumInput16CryptonightInput14VerusHashInputEESt10shared_ptrI6DeviceEEE
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: nn.elf String found in binary or memory: https://api.github.com/repos/nanopool/nanominer/releases/latestmalformed
Source: nn.elf String found in binary or memory: https://api.nanopool.org/v1/invalid
Source: nn.elf String found in binary or memory: https://blockscout.com/etc/mainnet/api?module=block&action=eth_block_numbertls:
Source: nn.elf String found in binary or memory: https://gcc.gnu.org/bugs
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: nn.elf, type: SAMPLE Matched rule: Linux_Cryptominer_Generic_e0cca9dc Author: unknown
Yara signature match
Source: nn.elf, type: SAMPLE Matched rule: Linux_Cryptominer_Generic_e0cca9dc reference_sample = 59a1d8aa677739f2edbb8bd34f566b31f19d729b0a115fef2eac8ab1d1acc383, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Generic, fingerprint = e7bc17ba356774ed10e65c95a8db3b09d3b9be72703e6daa9b601ea820481db7, id = e0cca9dc-0f3e-42d8-bb43-0625f4f9bfe1, last_modified = 2022-01-26
Source: classification engine Classification label: mal68.mine.linELF@0/0@0/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6262) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.pdDljAlyNF /tmp/tmp.RjeH8iViGU /tmp/tmp.g1SjPsgwOG Jump to behavior
Source: /usr/bin/dash (PID: 6263) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.pdDljAlyNF /tmp/tmp.RjeH8iViGU /tmp/tmp.g1SjPsgwOG Jump to behavior

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false