Linux Analysis Report
kkkarm7.elf

Overview

General Information

Sample name:	kkkarm7.elf
Analysis ID:	1542899
MD5:	7e9acb296052d0d9bcd9dc3d2cee07c0
SHA1:	b82940799726c17e512eb03331a8d10e96cd9a44
SHA256:	3f7216eacdfe93ed55b52920a5b4e7b983d02503f7bd69196f54a8c52ba8fc02
Tags:	elfkkkMiraiuser-NDA0E
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains symbols with names commonly found in malware

Detected TCP or UDP traffic on non-standard ports

Sample and/or dropped files contains symbols with suspicious names

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kkkarm7.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: kkkarm7.elf

ReversingLabs: Detection: 73%

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.14:56436 -> 5.59.249.232:1337

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 5.59.249.232
Source: unknown	TCP traffic detected without corresponding DNS query: 5.59.249.232
Source: unknown	TCP traffic detected without corresponding DNS query: 100.151.38.78
Source: unknown	TCP traffic detected without corresponding DNS query: 212.246.46.244
Source: unknown	TCP traffic detected without corresponding DNS query: 184.216.168.78
Source: unknown	TCP traffic detected without corresponding DNS query: 207.101.169.177
Source: unknown	TCP traffic detected without corresponding DNS query: 144.29.173.77
Source: unknown	TCP traffic detected without corresponding DNS query: 87.153.127.251
Source: unknown	TCP traffic detected without corresponding DNS query: 94.42.183.237
Source: unknown	TCP traffic detected without corresponding DNS query: 194.162.48.248
Source: unknown	TCP traffic detected without corresponding DNS query: 149.46.47.32
Source: unknown	TCP traffic detected without corresponding DNS query: 153.47.49.176
Source: unknown	TCP traffic detected without corresponding DNS query: 47.164.83.228
Source: unknown	TCP traffic detected without corresponding DNS query: 43.116.100.8
Source: unknown	TCP traffic detected without corresponding DNS query: 183.203.48.95
Source: unknown	TCP traffic detected without corresponding DNS query: 96.202.58.1
Source: unknown	TCP traffic detected without corresponding DNS query: 139.29.180.55
Source: unknown	TCP traffic detected without corresponding DNS query: 156.134.176.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.35.31.184
Source: unknown	TCP traffic detected without corresponding DNS query: 188.238.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 123.165.173.154
Source: unknown	TCP traffic detected without corresponding DNS query: 144.49.203.72
Source: unknown	TCP traffic detected without corresponding DNS query: 68.47.31.113
Source: unknown	TCP traffic detected without corresponding DNS query: 246.80.113.9
Source: unknown	TCP traffic detected without corresponding DNS query: 97.136.162.248
Source: unknown	TCP traffic detected without corresponding DNS query: 135.218.11.109
Source: unknown	TCP traffic detected without corresponding DNS query: 23.235.225.233
Source: unknown	TCP traffic detected without corresponding DNS query: 27.198.222.118
Source: unknown	TCP traffic detected without corresponding DNS query: 124.7.89.100
Source: unknown	TCP traffic detected without corresponding DNS query: 119.161.187.221
Source: unknown	TCP traffic detected without corresponding DNS query: 179.203.26.22
Source: unknown	TCP traffic detected without corresponding DNS query: 142.15.146.242
Source: unknown	TCP traffic detected without corresponding DNS query: 213.143.131.228
Source: unknown	TCP traffic detected without corresponding DNS query: 188.59.185.59
Source: unknown	TCP traffic detected without corresponding DNS query: 211.47.69.195
Source: unknown	TCP traffic detected without corresponding DNS query: 191.73.25.197
Source: unknown	TCP traffic detected without corresponding DNS query: 34.240.59.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.122.223.105
Source: unknown	TCP traffic detected without corresponding DNS query: 147.3.16.105
Source: unknown	TCP traffic detected without corresponding DNS query: 92.177.189.234
Source: unknown	TCP traffic detected without corresponding DNS query: 136.82.51.253
Source: unknown	TCP traffic detected without corresponding DNS query: 181.170.38.19
Source: unknown	TCP traffic detected without corresponding DNS query: 162.19.218.158
Source: unknown	TCP traffic detected without corresponding DNS query: 84.135.169.252
Source: unknown	TCP traffic detected without corresponding DNS query: 38.93.70.57
Source: unknown	TCP traffic detected without corresponding DNS query: 73.11.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 244.91.200.24
Source: unknown	TCP traffic detected without corresponding DNS query: 165.255.73.181
Source: unknown	TCP traffic detected without corresponding DNS query: 12.82.33.112
Source: unknown	TCP traffic detected without corresponding DNS query: 139.164.193.152

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_handshake
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method.c
Source: ELF static info symbol of initial sample	Name: attack_method_brainfuck
Source: ELF static info symbol of initial sample	Name: attack_method_greip
Source: ELF static info symbol of initial sample	Name: attack_method_onepacket
Source: ELF static info symbol of initial sample	Name: attack_method_std

Sample and/or dropped files contains symbols with suspicious names

Source: kkkarm7.elf	ELF static info symbol of initial sample: __gnu_unwind_execute
Source: kkkarm7.elf	ELF static info symbol of initial sample: scanner.c
Source: kkkarm7.elf	ELF static info symbol of initial sample: scanner_init
Source: kkkarm7.elf	ELF static info symbol of initial sample: scanner_pid
Source: kkkarm7.elf	ELF static info symbol of initial sample: scanner_rawpkt

Source: classification engine

Classification label: mal60.linELF@0/0@2/0

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/kkkarm7.elf (PID: 5481)

Queries kernel information via 'uname':

Jump to behavior

Source: kkkarm7.elf, 5481.1.000056399b1ac000.000056399b2fc000.rw-.sdmp, kkkarm7.elf, 5484.1.000056399b1ac000.000056399b2da000.rw-.sdmp, kkkarm7.elf, 5488.1.000056399b1ac000.000056399b2da000.rw-.sdmp, kkkarm7.elf, 5490.1.000056399b1ac000.000056399b2da000.rw-.sdmp	Binary or memory string: 9V!/etc/qemu-binfmt/arm
Source: kkkarm7.elf, 5481.1.00007ffc4685b000.00007ffc4687c000.rw-.sdmp, kkkarm7.elf, 5484.1.00007ffc4685b000.00007ffc4687c000.rw-.sdmp, kkkarm7.elf, 5488.1.00007ffc4685b000.00007ffc4687c000.rw-.sdmp, kkkarm7.elf, 5490.1.00007ffc4685b000.00007ffc4687c000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/kkkarm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/kkkarm7.elf
Source: kkkarm7.elf, 5481.1.000056399b1ac000.000056399b2fc000.rw-.sdmp, kkkarm7.elf, 5484.1.000056399b1ac000.000056399b2da000.rw-.sdmp, kkkarm7.elf, 5488.1.000056399b1ac000.000056399b2da000.rw-.sdmp, kkkarm7.elf, 5490.1.000056399b1ac000.000056399b2da000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: kkkarm7.elf, 5481.1.00007ffc4685b000.00007ffc4687c000.rw-.sdmp, kkkarm7.elf, 5484.1.00007ffc4685b000.00007ffc4687c000.rw-.sdmp, kkkarm7.elf, 5488.1.00007ffc4685b000.00007ffc4687c000.rw-.sdmp, kkkarm7.elf, 5490.1.00007ffc4685b000.00007ffc4687c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: kkkarm7.elf, 5488.1.00007ffc4685b000.00007ffc4687c000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
102.124.22.128	unknown	Sudan	36972	MTNSD	false
123.176.209.140	unknown	Japan	17939	MCN-NET01miyazakicabletelevisionnetworkCoLTDJP	false
24.212.124.66	unknown	Canada	35911	BNQ-1CA	false
74.124.75.106	unknown	United States	7782	ALSK-7782US	false
66.7.147.54	unknown	United States	3257	GTT-BACKBONEGTTDE	false
53.243.148.74	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
91.181.37.254	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
89.165.175.166	unknown	Romania	48161	NG-ASSosBucuresti-Ploiestinr42-44RO	false
195.158.153.96	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
80.57.112.141	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
102.132.248.24	unknown	South Africa	37680	COOL-IDEASZA	false
250.191.143.247	unknown	Reserved	unknown	unknown	false
12.172.252.113	unknown	United States	2386	INS-ASUS	false
41.111.78.250	unknown	Algeria	36947	ALGTEL-ASDZ	false
221.165.49.246	unknown	Korea Republic of	9631	YSU-AS-KRyoungsanuniversityKR	false
219.188.170.54	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
210.56.226.240	unknown	Australia	9224	CIRRUSCOMMS1-AU-APCirrusCommunicationsPtyLtdAU	false
66.78.131.73	unknown	United States	18474	AENEAS-CWUS	false
154.238.92.181	unknown	Egypt	36992	ETISALAT-MISREG	false
72.208.136.73	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
74.42.0.159	unknown	United States	7011	FRONTIER-AND-CITIZENSUS	false
145.131.235.74	unknown	Netherlands	28685	ASN-ROUTITNL	false
164.110.201.72	unknown	United States	14827	WSDOT-ASNUS	false
242.171.187.16	unknown	Reserved	unknown	unknown	false
204.93.205.45	unknown	United States	23352	SERVERCENTRALUS	false
79.53.135.225	unknown	Italy	3269	ASN-IBSNAZIT	false
177.180.48.11	unknown	Brazil	28573	CLAROSABR	false
36.208.138.99	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
242.245.138.11	unknown	Reserved	unknown	unknown	false
254.120.189.156	unknown	Reserved	unknown	unknown	false
254.197.71.107	unknown	Reserved	unknown	unknown	false
1.36.205.199	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	false
218.165.129.60	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
186.233.176.81	unknown	Brazil	53209	MantiqueiraTecnologiaLtdaBR	false
96.102.37.180	unknown	United States	7922	COMCAST-7922US	false
121.239.59.88	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
8.85.166.193	unknown	United States	3356	LEVEL3US	false
89.88.201.41	unknown	France	5410	BOUYGTEL-ISPFR	false
36.234.227.131	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
211.250.122.181	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
39.235.114.176	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
218.100.57.70	unknown	Sri Lanka	10212	CHINAENTERCOMChinaEnterpriseCommunicationsLtdCN	false
79.88.151.13	unknown	France	15557	LDCOMNETFR	false
198.6.77.154	unknown	United States	701	UUNETUS	false
155.134.67.218	unknown	United States	37532	ZAMRENZM	false
17.76.174.195	unknown	United States	714	APPLE-ENGINEERINGUS	false
223.213.26.73	unknown	China	17962	TOPWAY-NETShenZhenTopwayVideoCommunicationCoLtdCN	false
171.17.136.53	unknown	Germany	12888	Berghamerstr5DE	false
220.152.105.31	unknown	Japan	23808	TOSHIMA-NETTOSHIMACABLENETWORKCOLTDJP	false
80.140.216.227	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
66.8.17.195	unknown	South Africa	16637	MTNNS-ASZA	false
220.162.2.17	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
16.198.158.103	unknown	United States	unknown	unknown	false
40.224.241.214	unknown	United States	4249	LILLY-ASUS	false
112.8.213.246	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	false
168.237.144.254	unknown	United States	3136	STATE-OF-WISCONSIN-AS1US	false
119.231.115.176	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
24.64.102.204	unknown	Canada	6327	SHAWCA	false
125.148.216.199	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
27.170.192.141	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
153.72.76.29	unknown	United States	14962	NCR-252US	false
125.19.44.21	unknown	India	9498	BBIL-APBHARTIAirtelLtdIN	false
150.182.60.158	unknown	United States	7018	ATT-INTERNET4US	false
150.244.76.199	unknown	Spain	766	REDIRISRedIRISAutonomousSystemES	false
39.66.251.133	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
100.138.37.138	unknown	United States	21928	T-MOBILE-AS21928US	false
66.129.182.28	unknown	Canada	13768	COGECO-PEER1CA	false
119.67.151.159	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
75.210.150.32	unknown	United States	22394	CELLCOUS	false
20.142.173.117	unknown	United States	8070	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.74.85.96	unknown	United Arab Emirates	15802	DU-AS1AE	false
218.62.36.127	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
94.187.173.46	unknown	Kuwait	196921	BWIRELESS-KUWAITKW	false
250.57.160.197	unknown	Reserved	unknown	unknown	false
63.255.61.42	unknown	United States	36104	EFCUUS	false
147.14.150.39	unknown	Sweden	41076	POSTDK-ASDK	false
19.68.221.109	unknown	United States	3	MIT-GATEWAYSUS	false
57.107.164.60	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
122.205.236.131	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
114.239.90.4	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
196.69.119.219	unknown	Morocco	6713	IAM-ASMA	false
112.208.82.216	unknown	Philippines	9299	IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH	false
85.212.212.8	unknown	Germany	12312	ECOTELDE	false
78.101.34.148	unknown	Qatar	42298	GCC-MPLS-PEERINGGCCMPLSpeeringQA	false
149.147.224.243	unknown	Kuwait	42961	GPRS-ASZAINKW	false
92.187.252.116	unknown	France	12479	UNI2-ASES	false
27.211.43.100	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
220.237.169.99	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
95.145.60.62	unknown	United Kingdom	12576	EELtdGB	false
39.43.145.82	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	false
121.28.149.84	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
90.40.83.226	unknown	France	3215	FranceTelecom-OrangeFR	false
241.217.135.69	unknown	Reserved	unknown	unknown	false
112.138.57.116	unknown	Japan	10010	TOKAITOKAICommunicationsCorporationJP	false
113.158.54.19	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
250.55.84.174	unknown	Reserved	unknown	unknown	false
5.225.163.15	unknown	Spain	12430	VODAFONE_ESES	false
115.202.19.61	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
210.13.121.214	unknown	China	9929	CUIICHINAUNICOMIndustrialInternetBackboneCN	false
62.132.182.14	unknown	Germany	286	KPNNL	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.24	true

ID:	1542899
Product:	CloudBasic
Start time:	19:47:07
Start date:	26.10.2024
Sample:	kkkarm7.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	7e9acb296052d0d9bcd9dc3d2cee07c0
SHA1:	b82940799726c17e512eb03331a8d10e96cd9a44
SHA256:	3f7216eacdfe93ed55b52920a5b4e7b983d02503f7bd69196f54a8c52ba8fc02
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
kkkarm7.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report kkkarm7.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
kkkarm7.elf