Linux Analysis Report
kkkarm.elf

Overview

General Information

Sample name:	kkkarm.elf
Analysis ID:	1542903
MD5:	5884e26612e6f67801f68fc23fbca30f
SHA1:	fa157c68363bc024b109d5d10bd64f8a02d419fe
SHA256:	c33d00190d82329fb8348da08734ecde32f2641d4ea5dc8e8cc4b4392356c395
Tags:	elfkkkMiraiuser-NDA0E
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kkkarm.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: kkkarm.elf

ReversingLabs: Detection: 71%

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:46232 -> 5.59.249.232:1337

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 5.59.249.232
Source: unknown	TCP traffic detected without corresponding DNS query: 5.59.249.232
Source: unknown	TCP traffic detected without corresponding DNS query: 5.59.249.232
Source: unknown	TCP traffic detected without corresponding DNS query: 5.59.249.232
Source: unknown	TCP traffic detected without corresponding DNS query: 59.127.95.143
Source: unknown	TCP traffic detected without corresponding DNS query: 88.42.165.137
Source: unknown	TCP traffic detected without corresponding DNS query: 142.234.35.250
Source: unknown	TCP traffic detected without corresponding DNS query: 62.122.17.109
Source: unknown	TCP traffic detected without corresponding DNS query: 197.14.116.144
Source: unknown	TCP traffic detected without corresponding DNS query: 40.245.69.92
Source: unknown	TCP traffic detected without corresponding DNS query: 153.178.116.226
Source: unknown	TCP traffic detected without corresponding DNS query: 189.236.18.67
Source: unknown	TCP traffic detected without corresponding DNS query: 126.88.148.136
Source: unknown	TCP traffic detected without corresponding DNS query: 156.149.209.71
Source: unknown	TCP traffic detected without corresponding DNS query: 213.201.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 177.235.129.39
Source: unknown	TCP traffic detected without corresponding DNS query: 217.61.61.202
Source: unknown	TCP traffic detected without corresponding DNS query: 83.61.104.59
Source: unknown	TCP traffic detected without corresponding DNS query: 174.143.220.153
Source: unknown	TCP traffic detected without corresponding DNS query: 39.18.51.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.109.145.62
Source: unknown	TCP traffic detected without corresponding DNS query: 45.255.135.102
Source: unknown	TCP traffic detected without corresponding DNS query: 66.219.97.85
Source: unknown	TCP traffic detected without corresponding DNS query: 89.85.133.238
Source: unknown	TCP traffic detected without corresponding DNS query: 40.61.5.13
Source: unknown	TCP traffic detected without corresponding DNS query: 2.60.197.45
Source: unknown	TCP traffic detected without corresponding DNS query: 217.136.153.255
Source: unknown	TCP traffic detected without corresponding DNS query: 217.82.254.151
Source: unknown	TCP traffic detected without corresponding DNS query: 251.55.104.36
Source: unknown	TCP traffic detected without corresponding DNS query: 251.32.28.113
Source: unknown	TCP traffic detected without corresponding DNS query: 60.229.78.190
Source: unknown	TCP traffic detected without corresponding DNS query: 251.104.251.247
Source: unknown	TCP traffic detected without corresponding DNS query: 128.240.48.201
Source: unknown	TCP traffic detected without corresponding DNS query: 85.189.166.3
Source: unknown	TCP traffic detected without corresponding DNS query: 119.216.83.99
Source: unknown	TCP traffic detected without corresponding DNS query: 201.64.55.255
Source: unknown	TCP traffic detected without corresponding DNS query: 80.82.73.207
Source: unknown	TCP traffic detected without corresponding DNS query: 121.169.185.253
Source: unknown	TCP traffic detected without corresponding DNS query: 113.238.86.111
Source: unknown	TCP traffic detected without corresponding DNS query: 20.236.18.139
Source: unknown	TCP traffic detected without corresponding DNS query: 166.26.244.111
Source: unknown	TCP traffic detected without corresponding DNS query: 94.251.52.198
Source: unknown	TCP traffic detected without corresponding DNS query: 160.9.131.102
Source: unknown	TCP traffic detected without corresponding DNS query: 157.212.81.8
Source: unknown	TCP traffic detected without corresponding DNS query: 178.61.76.238
Source: unknown	TCP traffic detected without corresponding DNS query: 114.169.119.33
Source: unknown	TCP traffic detected without corresponding DNS query: 90.21.172.20
Source: unknown	TCP traffic detected without corresponding DNS query: 188.16.42.136

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39256
Source: unknown	Network traffic detected: HTTP traffic on port 39256 -> 443

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.linELF@0/0@0/0

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6255)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.0Fjc6Sa07O /tmp/tmp.DPqLuuMFBT /tmp/tmp.Fb6Zs0EqXf			Jump to behavior
Source: /usr/bin/dash (PID: 6256)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.0Fjc6Sa07O /tmp/tmp.DPqLuuMFBT /tmp/tmp.Fb6Zs0EqXf			Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/kkkarm.elf (PID: 6282)

Queries kernel information via 'uname':

Jump to behavior

Source: kkkarm.elf, 6282.1.000055d1ee26e000.000055d1ee39c000.rw-.sdmp, kkkarm.elf, 6284.1.000055d1ee26e000.000055d1ee39c000.rw-.sdmp, kkkarm.elf, 6288.1.000055d1ee26e000.000055d1ee39c000.rw-.sdmp, kkkarm.elf, 6290.1.000055d1ee26e000.000055d1ee39c000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: kkkarm.elf, 6282.1.00007ffd68300000.00007ffd68321000.rw-.sdmp, kkkarm.elf, 6284.1.00007ffd68300000.00007ffd68321000.rw-.sdmp, kkkarm.elf, 6288.1.00007ffd68300000.00007ffd68321000.rw-.sdmp, kkkarm.elf, 6290.1.00007ffd68300000.00007ffd68321000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/kkkarm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/kkkarm.elf
Source: kkkarm.elf, 6282.1.000055d1ee26e000.000055d1ee39c000.rw-.sdmp, kkkarm.elf, 6284.1.000055d1ee26e000.000055d1ee39c000.rw-.sdmp, kkkarm.elf, 6288.1.000055d1ee26e000.000055d1ee39c000.rw-.sdmp, kkkarm.elf, 6290.1.000055d1ee26e000.000055d1ee39c000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: kkkarm.elf, 6282.1.00007ffd68300000.00007ffd68321000.rw-.sdmp, kkkarm.elf, 6284.1.00007ffd68300000.00007ffd68321000.rw-.sdmp, kkkarm.elf, 6288.1.00007ffd68300000.00007ffd68321000.rw-.sdmp, kkkarm.elf, 6290.1.00007ffd68300000.00007ffd68321000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: kkkarm.elf, 6288.1.00007ffd68300000.00007ffd68321000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.87.169.219	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
24.239.78.199	unknown	United States	27364	ACS-INTERNETUS	false
186.16.121.188	unknown	Paraguay	23201	TelecelSAPY	false
38.53.171.212	unknown	United States	174	COGENT-174US	false
80.126.103.156	unknown	Netherlands	3265	XS4ALL-NLAmsterdamNL	false
203.75.199.223	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
221.1.35.196	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
97.137.187.248	unknown	United States	6167	CELLCO-PARTUS	false
252.106.43.36	unknown	Reserved	unknown	unknown	false
66.28.100.93	unknown	United States	174	COGENT-174US	false
149.154.31.175	unknown	United States	43074	KLASIE	false
31.136.113.89	unknown	Netherlands	15480	VFNL-ASVodafoneNLAutonomousSystemNL	false
45.154.131.50	unknown	Ukraine	3255	UARNET-ASUARNetUA	false
77.247.117.79	unknown	Lithuania	48095	XTGLOBALRO	false
77.80.94.67	unknown	Austria	760	UNIVIEUniversityofViennaAustriaAT	false
83.238.118.91	unknown	Poland	12741	AS-NETIAWarszawa02-822PL	false
95.42.178.142	unknown	Bulgaria	8866	BTC-ASBULGARIABG	false
43.61.185.249	unknown	Japan	4249	LILLY-ASUS	false
39.6.252.199	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
67.173.164.2	unknown	United States	7922	COMCAST-7922US	false
248.250.22.52	unknown	Reserved	unknown	unknown	false
92.35.104.250	unknown	Sweden	2119	TELENOR-NEXTELTelenorNorgeASNO	false
212.228.15.138	unknown	United Kingdom	6659	NEXINTO-DE	false
249.99.111.115	unknown	Reserved	unknown	unknown	false
159.148.163.207	unknown	Latvia	15483	SALESLV-ASLV	false
249.72.8.62	unknown	Reserved	unknown	unknown	false
208.73.247.120	unknown	United States	14287	TRIAD-TELECOMUS	false
61.173.21.174	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
98.164.6.138	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
115.38.140.185	unknown	Japan	18126	CTCXChubuTelecommunicationsCompanyIncJP	false
247.187.174.254	unknown	Reserved	unknown	unknown	false
152.117.115.172	unknown	United States	11863	PLUUS	false
254.163.247.180	unknown	Reserved	unknown	unknown	false
113.150.245.255	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
24.184.113.154	unknown	United States	6128	CABLE-NET-1US	false
217.220.244.251	unknown	Italy	8968	BT-ITALIAIT	false
31.174.135.181	unknown	Poland	39603	P4NETP4UMTSoperatorinPolandPL	false
34.141.98.10	unknown	United States	2686	ATGS-MMD-ASUS	false
106.229.125.125	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
123.187.78.225	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
18.255.31.166	unknown	United States	16509	AMAZON-02US	false
76.110.214.185	unknown	United States	7922	COMCAST-7922US	false
208.115.121.95	unknown	United States	23033	WOWUS	false
39.112.12.105	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
253.24.59.29	unknown	Reserved	unknown	unknown	false
70.161.129.128	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
67.214.45.87	unknown	United States	40336	UNISKY-MIAUS	false
159.92.144.104	unknown	United States	14340	SALESFORCEUS	false
9.109.32.9	unknown	United States	3356	LEVEL3US	false
73.152.110.240	unknown	United States	7922	COMCAST-7922US	false
98.213.229.17	unknown	United States	7922	COMCAST-7922US	false
213.167.3.53	unknown	Bulgaria	28909	BG-TVSAT-ASBG	false
222.62.25.207	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
180.119.27.17	unknown	China	137702	CHINATELECOM-JIANGSU-NANJING-IDCNanjingJiangsuProvince	false
205.147.223.63	unknown	United States	7029	WINDSTREAMUS	false
123.155.43.54	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
34.189.19.44	unknown	United States	2686	ATGS-MMD-ASUS	false
196.220.61.247	unknown	South Africa	36943	GridhostZA	false
222.32.175.192	unknown	China	38341	CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN	false
194.167.24.210	unknown	France	2200	FR-RENATERReseauNationaldetelecommunicationspourlaTec	false
201.89.39.32	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
47.3.254.115	unknown	United States	19115	CHARTER-19115-DCUS	false
128.18.50.174	unknown	United States	264	SRINET-ASUS	false
145.163.35.243	unknown	Netherlands	59524	KPN-IAASNL	false
125.30.213.12	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
72.201.247.59	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
246.194.12.79	unknown	Reserved	unknown	unknown	false
163.72.203.124	unknown	France	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
151.85.4.102	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
32.17.43.218	unknown	United States	2686	ATGS-MMD-ASUS	false
42.180.134.57	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
122.144.248.134	unknown	China	17775	STN-CNshanghaiscienceandtechnologynetworkcommunication	false
84.155.238.245	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
176.193.165.78	unknown	Russian Federation	12714	TI-ASMoscowRussiaRU	false
89.78.10.236	unknown	Poland	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
97.251.252.177	unknown	United States	6167	CELLCO-PARTUS	false
200.161.143.195	unknown	Brazil	27699	TELEFONICABRASILSABR	false
110.205.88.186	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
125.90.225.234	unknown	China	58543	CHINATELECOM-GUANGDONG-IDCGuangdongCN	false
39.131.192.193	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
180.234.213.98	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
119.58.146.240	unknown	China	4773	MOBILEONELTD-AS-APMobileOneLtdMobileInternetServicePr	false
163.11.124.20	unknown	United States	600	OARNET-ASUS	false
203.121.43.241	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	false
63.92.20.214	unknown	United States	701	UUNETUS	false
122.177.148.130	unknown	India	24560	AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServices	false
193.42.141.43	unknown	Italy	34093	PLUSLINE-ASCZ	false
197.136.236.21	unknown	Kenya	36914	KENET-ASKE	false
252.157.126.64	unknown	Reserved	unknown	unknown	false
20.232.130.142	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
65.65.58.0	unknown	United States	7018	ATT-INTERNET4US	false
95.37.132.59	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
69.226.27.185	unknown	United States	7018	ATT-INTERNET4US	false
40.75.113.245	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
108.169.34.223	unknown	United States	46375	AS-SONICTELECOMUS	false
114.73.213.84	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
75.16.193.216	unknown	United States	7018	ATT-INTERNET4US	false
88.189.158.40	unknown	France	12322	PROXADFR	false
58.47.210.177	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
107.241.156.78	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false

ID:	1542903
Product:	CloudBasic
Start time:	19:51:07
Start date:	26.10.2024
Sample:	kkkarm.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	5884e26612e6f67801f68fc23fbca30f
SHA1:	fa157c68363bc024b109d5d10bd64f8a02d419fe
SHA256:	c33d00190d82329fb8348da08734ecde32f2641d4ea5dc8e8cc4b4392356c395
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
kkkarm.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report kkkarm.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
kkkarm.elf