Linux Analysis Report
arm.elf

Overview

General Information

Sample name: arm.elf
Analysis ID: 1542350
MD5: ed383aa08f52d0e77c7aaac770083093
SHA1: b47afd51a929de7fd19b3b346031ddf5743cd4eb
SHA256: da1cb76484293c682559dc40c8ed1429b8ebde5926d6ac16b74faadfa740d719
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false

Signatures

Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: clean1.linELF@0/0@0/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6284) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Qh44lUG4IL /tmp/tmp.KBddbAQEh3 /tmp/tmp.deYo6t9Fx8 Jump to behavior
Source: /usr/bin/dash (PID: 6285) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Qh44lUG4IL /tmp/tmp.KBddbAQEh3 /tmp/tmp.deYo6t9Fx8 Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/arm.elf (PID: 6248) Queries kernel information via 'uname': Jump to behavior
Source: arm.elf, 6248.1.0000559bc2c37000.0000559bc2d65000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm.elf, 6248.1.00007fff5b9b0000.00007fff5b9d1000.rw-.sdmp Binary or memory string: 4x86_64/usr/bin/qemu-arm/tmp/arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm.elf
Source: arm.elf, 6248.1.0000559bc2c37000.0000559bc2d65000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: arm.elf, 6248.1.00007fff5b9b0000.00007fff5b9d1000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.171.230.55
 unknown United States
16509 AMAZON-02US false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false