Linux Analysis Report
zone.mips.elf

Overview

General Information

Sample name: zone.mips.elf
Analysis ID: 1546542
MD5: 5b0f6b33fc2e7ca43a28f3180315b33d
SHA1: 035ef3311509f9a66adbc37709025190dd4e3a60
SHA256: b82702ae2e2795657074db4caf23bc099be0edfb1a6db3531e3721820d4f297c
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false

Signatures

Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: zone.mips.elf String found in binary or memory: http://upx.sf.net
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54632
Source: unknown Network traffic detected: HTTP traffic on port 48202 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54632 -> 443
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x10000
Source: classification engine Classification label: sus22.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5466) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.LHb7HZLpmh /tmp/tmp.4jVz2QAFoJ /tmp/tmp.sAy7vZw2mu Jump to behavior
Source: /usr/bin/dash (PID: 5467) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.LHb7HZLpmh /tmp/tmp.4jVz2QAFoJ /tmp/tmp.sAy7vZw2mu Jump to behavior
ELF contains segments with high entropy indicating compressed/encrypted content
Source: zone.mips.elf Submission file: segment LOAD with 7.8877 entropy (max. 8.0)
Source: zone.mips.elf Submission file: segment LOAD with 7.9999 entropy (max. 8.0)
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/zone.mips.elf (PID: 5423) Queries kernel information via 'uname': Jump to behavior
Source: zone.mips.elf, 5423.1.00007ffd485c8000.00007ffd485e9000.rw-.sdmp Binary or memory string: X^'-x86_64/usr/bin/qemu-mips/tmp/zone.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zone.mips.elf
Source: zone.mips.elf, 5423.1.000055573838e000.0000555738693000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: zone.mips.elf, 5423.1.000055573838e000.0000555738693000.rw-.sdmp Binary or memory string: 7:8WU 0:8WU!/etc/qemu-binfmt/mips
Source: zone.mips.elf, 5423.1.00007ffd485c8000.00007ffd485e9000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.125.190.26
 unknown United Kingdom
41231 CANONICAL-ASGB false
34.254.182.186
 unknown United States
16509 AMAZON-02US false