Linux Analysis Report
arm6.elf

ID:	1544041
Product:	CloudBasic
Start time:	18:38:06
Start date:	28.10.2024
Sample:	arm6.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	f64be83f8826671ee77ced3a3e5ff28a
SHA1:	e1b7c11ecba5e437ed97f1d131257686232df72b
SHA256:	89530ec22331646332cb08eac2197872d97f8dc234372f4f4ba96f38ded26d89
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: arm6.elf

ReversingLabs: Detection: 18%

Spreading

Source: arm6.elf	String: ash|login|wget|curl|tftp|ntpdate|ftp
Source: arm6.elf	String: /proc//exe|ash|login|wget|curl|tftp|ntpdate|ftp/lib//lib64//mountinfo

Networking

Source: /tmp/arm6.elf (PID: 6221)

Socket: 127.0.0.1:1234

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@0/0

Persistence and Installation Behavior

Source: /tmp/arm6.elf (PID: 6221)	File opened: /proc/11/maps			Jump to behavior
Source: /tmp/arm6.elf (PID: 6221)	File opened: /proc/22/maps			Jump to behavior
Source: /tmp/arm6.elf (PID: 6221)	File opened: /proc/66/maps			Jump to behavior
Source: /tmp/arm6.elf (PID: 6221)	File opened: /proc/99/maps			Jump to behavior
Source: /tmp/arm6.elf (PID: 6221)	File opened: /proc/111/maps			Jump to behavior
Source: /tmp/arm6.elf (PID: 6221)	File opened: /proc/222/maps			Jump to behavior
Source: /tmp/arm6.elf (PID: 6221)	File opened: /proc/333/maps			Jump to behavior
Source: /tmp/arm6.elf (PID: 6221)	File opened: /proc/777/maps			Jump to behavior

Malware Analysis System Evasion

Source: /tmp/arm6.elf (PID: 6221)

Queries kernel information via 'uname':

Jump to behavior

Source: arm6.elf, 6221.1.000056476c931000.000056476ca80000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm6.elf, 6221.1.00007ffe32b20000.00007ffe32b41000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: arm6.elf, 6221.1.00007ffe32b20000.00007ffe32b41000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm6.elf
Source: arm6.elf, 6221.1.00007ffe32b20000.00007ffe32b41000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm6.elf, 6221.1.000056476c931000.000056476ca80000.rw-.sdmp	Binary or memory string: lGV!/etc/qemu-binfmt/arm