Linux Analysis Report
pure-ftpd

Overview

General Information

Sample name: pure-ftpd
Analysis ID: 1562227
MD5: 42b6c0a470b6009cf36af9522224cbf6
SHA1: b1d8fcc01d27c6df0c32478bdd55bf46d71ed269
SHA256: a3e5af00e1f8d9e27a5dbcc4fa7be90522ddbdd097d86a715a9465915839ebb8
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false

Signatures

Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table

Classification

Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33606 version: TLS 1.2
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: pure-ftpd ELF static info symbol of initial sample: freeaddrinfo
Source: pure-ftpd ELF static info symbol of initial sample: getaddrinfo
Source: pure-ftpd ELF static info symbol of initial sample: getnameinfo
Source: pure-ftpd String found in binary or memory: http://pureftpd.org/
Source: pure-ftpd String found in binary or memory: http://pureftpd.org/Data
Source: pure-ftpd String found in binary or memory: https://www.pureftpd.org/
Source: pure-ftpd String found in binary or memory: https://www.pureftpd.org/listnlstmfmtmlstmlsdaborsiteidleSITE
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33606 version: TLS 1.2
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: clean1.lin@0/0@0/0
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 6279) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.X1oGK1mRig /tmp/tmp.BV2vYR63Ze /tmp/tmp.ElTY2jJylL Jump to behavior
Source: /usr/bin/dash (PID: 6288) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.X1oGK1mRig /tmp/tmp.BV2vYR63Ze /tmp/tmp.ElTY2jJylL Jump to behavior
Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)
Source: ELF symbol in initial sample Symbol name: sleep
Source: ELF symbol in initial sample Symbol name: usleep

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.171.230.55
 unknown United States
16509 AMAZON-02US false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false