Linux Analysis Report
tarm7.elf

Overview

General Information

Sample name: tarm7.elf
Analysis ID: 1544639
MD5: 283d2c9be4cca2978d131da65bf2050a
SHA1: 92a9573b2ae418de74aab13e1cfe0943db899b8d
SHA256: 2f5aebc64c61a50611cab64894853fdb96d2b1468abb4c82d58b5e4a96bc88d6
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Connects to many ports of the same IP (likely port scanning)
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample scans a subnet
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: tarm7.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: tarm7.elf ReversingLabs: Detection: 31%

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:42748 -> 46.23.108.252:4840
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:38020 -> 46.23.108.58:24272
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:51280 -> 46.23.108.55:2410
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:41254 -> 46.23.108.109:2654
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:42750 -> 46.23.108.252:4840
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:41686 -> 46.23.108.159:22438
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:42746 -> 46.23.108.252:4840
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:44762 -> 46.23.108.64:21693
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:38634 -> 46.23.108.62:17532
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:44266 -> 46.23.108.54:4051
Source: Network traffic Suricata IDS: 2050066 - Severity 1 - ET MALWARE Hailbot CnC Checkin : 192.168.2.15:41256 -> 46.23.108.109:2654
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 46.23.108.62 ports 17532,1,2,3,5,7
Source: global traffic TCP traffic: 46.23.108.64 ports 21693,1,2,3,6,9
Sample scans a subnet
Source: ip traffic Subnet 46.23.108.0/24: 46.23.108.58, 46.23.108.109, 46.23.108.62, 46.23.108.54, 46.23.108.64, 46.23.108.55, 46.23.108.252, 46.23.108.159
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: repo.dyn. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: sandmen.geek. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: sliteyed.pirate. [malformed]
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:38020 -> 46.23.108.58:24272
Source: global traffic TCP traffic: 192.168.2.15:42746 -> 46.23.108.252:4840
Source: global traffic TCP traffic: 192.168.2.15:41254 -> 46.23.108.109:2654
Source: global traffic TCP traffic: 192.168.2.15:44762 -> 46.23.108.64:21693
Source: global traffic TCP traffic: 192.168.2.15:51280 -> 46.23.108.55:2410
Source: global traffic TCP traffic: 192.168.2.15:38634 -> 46.23.108.62:17532
Source: global traffic TCP traffic: 192.168.2.15:44266 -> 46.23.108.54:4051
Source: global traffic TCP traffic: 192.168.2.15:41686 -> 46.23.108.159:22438
Sample listens on a socket
Source: /tmp/tarm7.elf (PID: 5497) Socket: 127.0.0.1:1172 Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: unknown UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown UDP traffic detected without corresponding DNS query: 137.220.52.23
Source: unknown UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 80.152.203.134
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown UDP traffic detected without corresponding DNS query: 5.161.109.23
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown UDP traffic detected without corresponding DNS query: 70.34.254.19
Source: unknown UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 139.84.165.176
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown UDP traffic detected without corresponding DNS query: 64.176.6.48
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 65.21.1.106
Source: global traffic DNS traffic detected: DNS query: dingdingrouter.pirate
Source: global traffic DNS traffic detected: DNS query: repo.dyn. [malformed]
Source: global traffic DNS traffic detected: DNS query: sandmen.geek
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: global traffic DNS traffic detected: DNS query: sliteyed.pirate
Source: global traffic DNS traffic detected: DNS query: sandmen.geek. [malformed]
Source: global traffic DNS traffic detected: DNS query: sliteyed.pirate. [malformed]
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal80.spre.troj.linELF@0/0@35/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/tarm7.elf (PID: 5499) File: /proc/5499/mounts Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/tarm7.elf (PID: 5497) Queries kernel information via 'uname': Jump to behavior
Source: tarm7.elf, 5497.1.000056073018e000.0000560730305000.rw-.sdmp, tarm7.elf, 5499.1.000056073018e000.0000560730305000.rw-.sdmp, tarm7.elf, 5504.1.000056073018e000.0000560730305000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: tarm7.elf, 5497.1.000056073018e000.0000560730305000.rw-.sdmp, tarm7.elf, 5499.1.000056073018e000.0000560730305000.rw-.sdmp, tarm7.elf, 5504.1.000056073018e000.0000560730305000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/arm
Source: tarm7.elf, 5497.1.00007ffeb7d6c000.00007ffeb7d8d000.rw-.sdmp, tarm7.elf, 5499.1.00007ffeb7d6c000.00007ffeb7d8d000.rw-.sdmp, tarm7.elf, 5504.1.00007ffeb7d6c000.00007ffeb7d8d000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: tarm7.elf, 5504.1.00007ffeb7d6c000.00007ffeb7d8d000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: tarm7.elf, 5497.1.00007ffeb7d6c000.00007ffeb7d8d000.rw-.sdmp, tarm7.elf, 5499.1.00007ffeb7d6c000.00007ffeb7d8d000.rw-.sdmp, tarm7.elf, 5504.1.00007ffeb7d6c000.00007ffeb7d8d000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/tarm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tarm7.elf
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.23.108.58
 sliteyed.pirate Azerbaijan
15723 AZERONLINEAZ true
46.23.108.109
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.62
 dingdingrouter.pirate Azerbaijan
15723 AZERONLINEAZ true
46.23.108.54
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.64
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.55
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.252
 unknown Azerbaijan
15723 AZERONLINEAZ true
46.23.108.159
 unknown Azerbaijan
15723 AZERONLINEAZ true

Contacted Domains

Name IP Active
sandmen.geek 46.23.108.161 true
daisy.ubuntu.com 162.213.35.25 true
dingdingrouter.pirate 46.23.108.62 true
sliteyed.pirate 46.23.108.58 true
sliteyed.pirate. [malformed] unknown unknown
sandmen.geek. [malformed] unknown unknown
repo.dyn. [malformed] unknown unknown