Linux Analysis Report
main_arm.elf

ID:	1561539
Product:	CloudBasic
Start time:	18:17:07
Start date:	23.11.2024
Sample:	main_arm.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	b5b7f0c68cdf6458e137e7dfb1d74e6f
SHA1:	ceb4700b167cff05ccb77a25260bf696b39b8e63
SHA256:	6017dc10e1edd004384c5b0033e237a81e293d8668459c107f057fbdc62f771c
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: main_arm.elf

Avira: detected

Source: main_arm.elf

ReversingLabs: Detection: 54%

Networking

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: main_arm.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: main_arm.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6258.1.00007f96e0017000.00007f96e0033000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6258.1.00007f96e0017000.00007f96e0033000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: main_arm.elf PID: 6258, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: main_arm.elf PID: 6258, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: Initial sample

String containing 'busybox' found: /bin/busybox

Source: Initial sample

String containing 'busybox' found: /bin/busybox/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/telnetsshwatchdogsshd/usr/compress/bin//compress/bin/compress/usr/bashmain_x86main_x86_64main_mipsmain_mipselmain_armmain_arm5main_arm6main_arm7main_ppcmain_m68kmain_sh4main_spchttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt//tmp/var/mnt/boot/home/dev/..//root(deleted)/proc/self/exe

Source: ELF static info symbol of initial sample

.symtab present: no

Source: main_arm.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: main_arm.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6258.1.00007f96e0017000.00007f96e0033000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6258.1.00007f96e0017000.00007f96e0033000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: main_arm.elf PID: 6258, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: main_arm.elf PID: 6258, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal72.troj.linELF@0/0@0/0

Malware Analysis System Evasion

Source: /tmp/main_arm.elf (PID: 6258)

Queries kernel information via 'uname':

Jump to behavior

Source: main_arm.elf, 6258.1.0000565240ede000.000056524100c000.rw-.sdmp	Binary or memory string: @RV!/etc/qemu-binfmt/arm
Source: main_arm.elf, 6258.1.00007ffe001ca000.00007ffe001eb000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/main_arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/main_arm.elf
Source: main_arm.elf, 6258.1.0000565240ede000.000056524100c000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: main_arm.elf, 6258.1.00007ffe001ca000.00007ffe001eb000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Source: Yara match	File source: main_arm.elf, type: SAMPLE
Source: Yara match	File source: 6258.1.00007f96e0017000.00007f96e0033000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main_arm.elf PID: 6258, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: main_arm.elf, type: SAMPLE
Source: Yara match	File source: 6258.1.00007f96e0017000.00007f96e0033000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: main_arm.elf PID: 6258, type: MEMORYSTR