Linux Analysis Report
5lg7zd.elf

Overview

General Information

Sample name: 5lg7zd.elf
Analysis ID: 1545733
MD5: 3fd49e4042a00c6ede9b35aa07d76519
SHA1: 9372632dec1b7dc2ef0011c5532f8d2eb865007d
SHA256: 53169e90ce7108468c0ce5ccde55db90fa9925451b91e4b3e4af690765809eef
Tags: elfuser-MDMCk10
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false

Signatures

Executes the "iptables" command to insert, remove and/or manipulate rules
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "iptables" command used for managing IP filtering and manipulation
HTTP GET or POST without a user agent
Reads the 'hosts' file potentially containing internal network hosts
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Networking
barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /tmp/5lg7zd.elf (PID: 6246) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 61234 -j DROP Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /tmp/5lg7zd.elf (PID: 6246) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 61234 -j DROP Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /api/client HTTP/1.1Host: vnc.wtfUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: FXbLJ4YTqufnt8aeQ+JYog==Origin: https://vnc.wtfSec-WebSocket-Version: 13Authorization: Basic Y2xpZW50OlBJTktJRVBJRQ==
Reads the 'hosts' file potentially containing internal network hosts
Source: /tmp/5lg7zd.elf (PID: 6241) Reads hosts file: /etc/hosts Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /api/client HTTP/1.1Host: vnc.wtfUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: FXbLJ4YTqufnt8aeQ+JYog==Origin: https://vnc.wtfSec-WebSocket-Version: 13Authorization: Basic Y2xpZW50OlBJTktJRVBJRQ==
Source: global traffic DNS traffic detected: DNS query: vnc.wtf
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crlhttp://crl.dhimyotis.com/certignarootca.crl(c)
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crlhttp://crl.dhimyotis.com/certignarootca.crl/etc/ssl/certs/C
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl0;1
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl/etc/ssl/certs/COMODO_ECC_Certification_Auth
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem/etc/ssl/certs/Global
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl/etc/ssl/certs/Sonera_Class_2_Root_CA.pem/etc/ssl/certs/Sonera_Cl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crlStaat
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl/etc/ssl/certs/Secure_Global_CA.pem/etc/ssl/certs/Secure_Global_C
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl/etc/ssl/certs/ca-certificates.crt/etc/ssl/certs/ca-certificate
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://ocsp.accv.es
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: 5lg7zd.elf String found in binary or memory: http://upx.sf.net
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0;1
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0B1
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.accv.es00
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://13::1ip6-localhostip6-loopbackhttps://vnc.wtffe00::ff00::ip6-localnet13
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com/etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem/etc/ssl/certs/QuoVadis_Roo
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.comSSL.com
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://vnc.wtf
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 56352
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 56352 -> 443
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Source: classification engine Classification label: mal48.evad.linELF@0/0@2/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior
barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /tmp/5lg7zd.elf (PID: 6246) Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 61234 -j DROP Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /tmp/5lg7zd.elf (PID: 6246) Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 61234 -j DROP Jump to behavior
ELF contains segments with high entropy indicating compressed/encrypted content
Source: 5lg7zd.elf Submission file: segment LOAD with 7.6612 entropy (max. 8.0)
Source: 5lg7zd.elf Submission file: segment LOAD with 7.9263 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/5lg7zd.elf (PID: 6241) Queries kernel information via 'uname': Jump to behavior
Source: 5lg7zd.elf, 6241.1.000000c000000000.000000c000800000.rw-.sdmp Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 vnc.wtf European Union
13335 CLOUDFLARENETUS false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
vnc.wtf 188.114.97.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://vnc.wtf/api/client false
    		unknown