Linux Analysis Report
linux_386.elf

Overview

General Information

Sample name: linux_386.elf
Analysis ID: 1562731
MD5: f5c59e70b89c03eb69f02a7be662ed59
SHA1: f1dc3d2d6c85692a2419517d3473bb370cf86510
SHA256: ae49891720a4fa75f48a58efd4fc5dcd369f8c99add24e781191616f46149457
Tags: elfuser-abuse_ch
Infos:

Detection

Chaos
Score: 84
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Chaos
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Machine Learning detection for sample
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to set files in /etc globally writable
Uses known network protocols on non-standard ports
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads CPU information from /sys indicative of miner or evasive malware
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Sleeps for long times indicative of sandbox evasion
Uses the "uname" system call to query kernel version information (possible evasion)
Writes shell script file to disk with an unusual file extension
Writes shell script files to disk

Classification

Name Description Attribution Blogpost URLs Link
Chaos Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: linux_386.elf ReversingLabs: Detection: 55%
Machine Learning detection for sample
Source: linux_386.elf Joe Sandbox ML: detected
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5507) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5685) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5762) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5832) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 103.135.101.78 ports 808,52462,2,4,5,6
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 48720 -> 808
Source: unknown Network traffic detected: HTTP traffic on port 808 -> 48720
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:38944 -> 103.135.101.78:52462
Reads the 'hosts' file potentially containing internal network hosts
Source: /tmp/linux_386.elf (PID: 5436) Reads hosts file: /etc/hosts Jump to behavior
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /password.txt HTTP/1.1Host: 103.135.101.78:808User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: linux_386.elf String found in binary or memory: http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qpadding bytes must all be zeros unless AllowIllegalWrites is enabledreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytestls: peer doesn't support the certificate custom signature algorithmsbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xgot %s for stream %d; expected CONTINUATION following %s for stream %dx509: PKCS#8 wrapping contained private key with unknown algorithm: %vx509: certificate relies on legacy Common Name field, use SANs insteadMozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)Sogou Pic Spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)dynamic table size update MUST occur at the beginning of a header blockssh: no common algorithm for %s; client offered: %v, server offered: %vtls: peer doesn't support any of the certificate's signature algorithmstoo many concurrent operations on a single file or socket (max 1048575)x509: issuer has name constraints but leaf doesn't have a SAN extensionMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)tls: server's certificate contains an unsupported type of public key: %Ttls: received unexpected handshake message of type %T when waiting for %T91289437fa036b34da55d57af6192768c27bd433fa012169d626d934e0051b24dd67dd3cf49d7cc827bc012d259d7ac226e70829239d7ac226e7082968de60d520eb433722c07fd236f6crypto/elliptic: internal error: Unmarshal rejected a valid point encodingmalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedtls: certificate RSA key size too small for supported signature algorithmsUnsolicited response received on idle HTTP channel starting with %q; err=%vtls: internal error: attempted to read record with pending application datatls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuite((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}MapIter.Next called on an iterator that does not have an associated map Valuecrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: internal error: algorithmSignerWrapper invoked with non-default algorithmssh: unable to authenticate, attempted methods %v, no supported methods remainx509: signature check attempt
Source: linux_386.elf String found in binary or memory: http: RoundTripper implementation (%T) returned a nil *Response with a nil errortls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificaterefusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxyx509: a root or intermediate certificate is not authorized to sign for this name: (possibly because of %q while trying to verify candidate authority certificate %q)Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)x509: issuer has name constraints but leaf contains unknown or unconstrained name: tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodx509: failed to parse private key (use ParseECPrivateKey instead for this key format)Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: fxfzUc6gtMGc/i26ld3KydGKy1k7QqyMMyxjbU1Rlk+F9LQxnaTeCHGHsDUpaBeOWDeY6l+2kHlB7EWTLcGwfg==whv+Kf1cEtOXzr+zuvmef2as0WfbUDm8l2LMWBMel10NDnbShg9CsMUt327VJhOTbXLoPYJVTKy8MBPCVwoT8A==x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%qapplication/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromisedssh<<RMS>> equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: aras.liveya.org
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: linux_386.elf String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)x509:
Source: linux_386.elf String found in binary or memory: http://search.msn.com/msnbot.htm
Source: linux_386.elf String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: linux_386.elf String found in binary or memory: http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
Source: linux_386.elf String found in binary or memory: http://www.baidu.com/search/spider.html)Mozilla/5.0
Source: linux_386.elf String found in binary or memory: http://www.baidu.com/search/spider.html)http2:
Source: linux_386.elf String found in binary or memory: http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
Source: linux_386.elf String found in binary or memory: http://www.google.com/mobile/adsbot.html)
Source: linux_386.elf String found in binary or memory: http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
Source: linux_386.elf String found in binary or memory: http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
Source: linux_386.elf String found in binary or memory: http://www.youdao.com/help/webmaster/spider/;)reflect:
Source: linux_386.elf String found in binary or memory: http://yandex.com/bots)http:
Source: linux_386.elf String found in binary or memory: https://search.yahoo.com/search?p=illegal
Source: linux_386.elf String found in binary or memory: https://www.baidu.com/s?wd=insufficient
Source: linux_386.elf String found in binary or memory: https://www.so.com/s?q=index
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /usr/bin/pkill (PID: 5507) SIGKILL sent: pid: 5437, result: successful Jump to behavior
Source: /usr/bin/pkill (PID: 5685) SIGKILL sent: pid: 5515, result: successful Jump to behavior
Source: /usr/bin/pkill (PID: 5762) SIGKILL sent: pid: 5691, result: successful Jump to behavior
Source: /usr/bin/pkill (PID: 5832) SIGKILL sent: pid: 5766, result: successful Jump to behavior
Source: classification engine Classification label: mal84.spre.troj.evad.linELF@0/29@6/0
Source: ELF file section Submission: linux_386.elf

Persistence and Installation Behavior
barindex
Sample tries to persist itself using /etc/profile
Source: /tmp/linux_386.elf (PID: 5436) File: /etc/profile.d/bash_config.sh Jump to behavior
Sample tries to persist itself using cron
Source: /usr/bin/bash (PID: 5562) File: /etc/crontab Jump to behavior
Sample tries to set files in /etc globally writable
Source: /tmp/linux_386.elf (PID: 5429) File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5429) File: /etc/32678 (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Creates hidden files and/or directories
Source: /tmp/linux_386.elf (PID: 5436) File: /dev/.old Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /dev/.img Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /.img Jump to behavior
Source: /etc/id.services.conf (PID: 5835) File: /dev/.old Jump to behavior
Source: /etc/id.services.conf (PID: 5835) File: /dev/.img Jump to behavior
Source: /etc/id.services.conf (PID: 5767) File: /dev/.old Jump to behavior
Source: /etc/id.services.conf (PID: 5767) File: /dev/.img Jump to behavior
Source: /etc/id.services.conf (PID: 5690) File: /dev/.old Jump to behavior
Source: /etc/id.services.conf (PID: 5690) File: /dev/.img Jump to behavior
Source: /boot/System.img.config (PID: 5514) File: /dev/.old Jump to behavior
Source: /boot/System.img.config (PID: 5514) File: /dev/.img Jump to behavior
Creates hidden files without content (potentially used as a mutex)
Source: /boot/System.img.config (PID: 5514) Empty hidden file: /dev/.old Jump to behavior
Source: /boot/System.img.config (PID: 5514) Empty hidden file: /dev/.img Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/238/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/238/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/239/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/239/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/914/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/914/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/917/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/917/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/19/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/19/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/240/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/240/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/3095/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/3095/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/241/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/241/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/242/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/242/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/244/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/244/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/245/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/245/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/1588/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/1588/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/125/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/246/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/246/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/126/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/126/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/5/status Jump to behavior
Source: /usr/bin/pkill (PID: 5685) File opened: /proc/5/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/linux_386.elf (PID: 5434) Shell command executed: /bin/bash -c /etc/32678& Jump to behavior
Source: /tmp/linux_386.elf (PID: 5471) Shell command executed: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager" Jump to behavior
Source: /tmp/linux_386.elf (PID: 5538) Shell command executed: /bin/bash -c "cd /boot;ausearch -c 'System.img.conf' --raw | audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp" Jump to behavior
Source: /usr/sbin/cron (PID: 5661) Shell command executed: /bin/sh -c "/.img " Jump to behavior
Source: /usr/sbin/cron (PID: 5728) Shell command executed: /bin/sh -c "/.img "
Source: /usr/sbin/cron (PID: 5812) Shell command executed: /bin/sh -c "/.img "
Source: /usr/sbin/cron (PID: 5871) Shell command executed: /bin/sh -c "/.img "
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /boot/System.img.config (PID: 5507) Pkill executable: /usr/bin/pkill -> pkill -9 32678 Jump to behavior
Source: /etc/id.services.conf (PID: 5685) Pkill executable: /usr/bin/pkill -> pkill -9 32678 Jump to behavior
Source: /etc/id.services.conf (PID: 5762) Pkill executable: /usr/bin/pkill -> pkill -9 32678 Jump to behavior
Source: /etc/id.services.conf (PID: 5832) Pkill executable: /usr/bin/pkill -> pkill -9 32678 Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/service (PID: 5435) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service Jump to behavior
Source: /usr/sbin/service (PID: 5451) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5457) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 5455) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload Jump to behavior
Source: /bin/bash (PID: 5472) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload Jump to behavior
Source: /bin/bash (PID: 5478) Systemctl executable: /usr/bin/systemctl -> systemctl enable linux.service Jump to behavior
Source: /bin/bash (PID: 5492) Systemctl executable: /usr/bin/systemctl -> systemctl start linux.service Jump to behavior
Source: /usr/sbin/service (PID: 5586) Systemctl executable: /usr/bin/systemctl -> systemctl start cron.service Jump to behavior
Source: /usr/sbin/service (PID: 5603) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5609) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /tmp/linux_386.elf (PID: 5623) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service Jump to behavior
Source: /usr/sbin/service (PID: 5834) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service Jump to behavior
Source: /usr/sbin/service (PID: 5847) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5849) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/service (PID: 5765) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service Jump to behavior
Source: /usr/sbin/service (PID: 5781) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5783) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/service (PID: 5689) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service Jump to behavior
Source: /usr/sbin/service (PID: 5698) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5700) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/service (PID: 5513) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service Jump to behavior
Source: /usr/sbin/service (PID: 5531) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5533) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Sample tries to set the executable flag
Source: /tmp/linux_386.elf (PID: 5429) File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5429) File: /etc/32678 (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /boot/System.img.config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /usr/lib/libdlrpcld.so (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /usr/lib/system-monitor (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /usr/bin/ps (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /usr/bin/ss (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /usr/bin/ls (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /usr/bin/dir (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /usr/bin/netstat (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /usr/bin/find (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) File: /usr/bin/lsof (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes shell script file to disk with an unusual file extension
Source: /tmp/linux_386.elf (PID: 5429) Writes shell script file to disk with an unusual file extension: /etc/32678 Jump to dropped file
Source: /tmp/linux_386.elf (PID: 5436) Writes shell script file to disk with an unusual file extension: /etc/init.d/linux_kill Jump to dropped file
Source: /tmp/linux_386.elf (PID: 5436) Writes shell script file to disk with an unusual file extension: /.img Jump to dropped file
Source: /tmp/linux_386.elf (PID: 5436) Writes shell script file to disk with an unusual file extension: /etc/init.d/ssh Jump to dropped file
Writes shell script files to disk
Source: /tmp/linux_386.elf (PID: 5436) Shell script file created: /etc/profile.d/bash_config.sh Jump to dropped file
Source: /usr/sbin/service (PID: 5458) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 5610) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 5850) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 5784) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 5701) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 5534) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Drops files in suspicious directories
Source: /tmp/linux_386.elf (PID: 5436) File: /etc/init.d/linux_kill Jump to dropped file
Source: /tmp/linux_386.elf (PID: 5436) File: /etc/init.d/ssh Jump to dropped file
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 48720 -> 808
Source: unknown Network traffic detected: HTTP traffic on port 808 -> 48720
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Source: /etc/32678 (PID: 5448) Sleep executable: /usr/bin/sleep -> sleep 60 Jump to behavior
Source: /etc/32678 (PID: 5530) Sleep executable: /usr/bin/sleep -> sleep 60 Jump to behavior
Source: /etc/32678 (PID: 5696) Sleep executable: /usr/bin/sleep -> sleep 60 Jump to behavior
Source: /etc/32678 (PID: 5779) Sleep executable: /usr/bin/sleep -> sleep 60 Jump to behavior
Source: /etc/32678 (PID: 5845) Sleep executable: /usr/bin/sleep -> sleep 60 Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5507) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5685) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5762) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5832) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Sleeps for long times indicative of sandbox evasion
Source: /usr/bin/sleep (PID: 5448) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /usr/bin/sleep (PID: 5530) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /usr/bin/sleep (PID: 5696) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /usr/bin/sleep (PID: 5779) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /usr/bin/sleep (PID: 5845) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /usr/sbin/cron (PID: 5619) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /usr/sbin/cron (PID: 5674) Sleeps longer then 60s: 60.0s
Source: /usr/sbin/cron (PID: 5749) Sleeps longer then 60s: 60.0s
Source: /usr/sbin/cron (PID: 5749) Sleeps longer then 60s: 60.0s
Source: /usr/sbin/cron (PID: 5818) Sleeps longer then 60s: 60.0s
Source: /usr/sbin/cron (PID: 5877) Sleeps longer then 60s: 60.0s
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/linux_386.elf (PID: 5429) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 5434) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/linux_386.elf (PID: 5436) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 5471) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 5538) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/bash (PID: 5562) Queries kernel information via 'uname': Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Chaos
Source: Yara match File source: linux_386.elf, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Chaos
Source: Yara match File source: linux_386.elf, type: SAMPLE

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.135.101.78
 aras.liveya.org Hong Kong
4842 TH-AS-APTianhaiInfoTechCN true

Contacted Domains

Name IP Active
aras.liveya.org 103.135.101.78 true
daisy.ubuntu.com 162.213.35.25 true
www.google.com 142.250.181.100 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://103.135.101.78:808/password.txt true
  • Avira URL Cloud: safe
 unknown