Linux Analysis Report
cARM.elf

Overview

General Information

Sample name: cARM.elf
Analysis ID: 1561478
MD5: 6c88591fb7be04498a665dddbb0d3af5
SHA1: 36b82f4ea84a0b8102249c09b47988f6e2405ab9
SHA256: 616c87759bc580a751c1ee2f7f5014065c248a814d02232b070553818292149f
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 22
Range: 0 - 100
Whitelisted: false

Signatures

Contains symbols with names commonly found in malware
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample and/or dropped files contains symbols with suspicious names
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Detected TCP or UDP traffic on non-standard ports
Source: global traffic UDP traffic: 192.168.2.23:45881 -> 45.148.10.176:4411
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: cARM.elf String found in binary or memory: http://51.81.121.129/cARM
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Contains symbols with names commonly found in malware
Source: ELF static info symbol of initial sample Name: main.SendACKAttack
Source: ELF static info symbol of initial sample Name: main.SendFXYAPAttack
Source: ELF static info symbol of initial sample Name: main.SendPSHAttack
Source: ELF static info symbol of initial sample Name: main.SendSYNAttack
Source: ELF static info symbol of initial sample Name: main.SendUDPAttack
Sample and/or dropped files contains symbols with suspicious names
Source: cARM.elf ELF static info symbol of initial sample: encoding/json.(*scanner).eof
Source: cARM.elf ELF static info symbol of initial sample: encoding/json.(*scanner).pushParseState
Source: cARM.elf ELF static info symbol of initial sample: encoding/json.freeScanner
Source: cARM.elf ELF static info symbol of initial sample: encoding/json.newScanner
Source: cARM.elf ELF static info symbol of initial sample: encoding/json.scannerPool
Source: cARM.elf ELF static info symbol of initial sample: internal/poll.TestHookDidSendFile
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.Goid
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.Gosched
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.Run
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.Run.deferwrap1
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.Run.deferwrap2
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.Run.func1
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.Throw
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.hooks
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.locked
Source: cARM.elf ELF static info symbol of initial sample: internal/runtime/exithook.runGoid
Source: classification engine Classification label: sus22.linELF@0/0@0/0
Source: ELF file section Submission: cARM.elf
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6222) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aNyespp82r /tmp/tmp.IQcjuF3Dk3 /tmp/tmp.0bY9obFiN4 Jump to behavior
Source: /usr/bin/dash (PID: 6223) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aNyespp82r /tmp/tmp.IQcjuF3Dk3 /tmp/tmp.0bY9obFiN4 Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/bash (PID: 6257) Queries kernel information via 'uname': Jump to behavior
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
45.148.10.176
 unknown Italy
48090 PPTECHNOLOGYGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false