Linux Analysis Report
linux_mips64el.elf

ID:	1562733
Product:	CloudBasic
Start time:	23:46:17
Start date:	25.11.2024
Sample:	linux_mips64el.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	1265c39b5611f136258f29dbfd178bf1
SHA1:	cd7e382fdece089b97dbe7a44215ea8e156bafc7
SHA256:	bd571c3652568d735852421473a9fce7371ce922dbc15493438651834a13a54b
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/var/log/btmp	data	F1FD2599320B2160F727B95F1DB19030	9EA9AB217991B8045664D334E05FC448BB62C6FE	67A3FD969648DFB7B4681FBDA9C79FA88A53949BA298033FD39F7F94FE9A602D

Networking

Source: linux_mips64el.elf

String found in binary or memory: http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qpadding bytes must all be zeros unless AllowIllegalWrites is enabledreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytestls: peer doesn't support the certificate custom signature algorithmsbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xgot %s for stream %d; expected CONTINUATION following %s for stream %dx509: PKCS#8 wrapping contained private key with unknown algorithm: %vx509: certificate relies on legacy Common Name field, use SANs insteadMozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)Sogou Pic Spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)dynamic table size update MUST occur at the beginning of a header blockssh: no common algorithm for %s; client offered: %v, server offered: %vtls: peer doesn't support any of the certificate's signature algorithmstoo many concurrent operations on a single file or socket (max 1048575)x509: issuer has name constraints but leaf doesn't have a SAN extensionMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)tls: server's certificate contains an unsupported type of public key: %Ttls: received unexpected handshake message of type %T when waiting for %T91289437fa036b34da55d57af6192768c27bd433fa012169d626d934e0051b24dd67dd3cf49d7cc827bc012d259d7ac226e70829239d7ac226e7082968de60d520eb433722c07fd236f6crypto/elliptic: internal error: Unmarshal rejected a valid point encodingmalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedtls: certificate RSA key size too small for supported signature algorithmsUnsolicited response received on idle HTTP channel starting with %q; err=%vtls: internal error: attempted to read record with pending application datatls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuite((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}MapIter.Next called on an iterator that does not have an associated map Valuecrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: internal error: algorithmSignerWrapper invoked with non-default algorithmssh: unable to authenticate, attempted methods %v, no supported methods remainx509: signature check attempt

Source: linux_mips64el.elf

String found in binary or memory: http: RoundTripper implementation (%T) returned a nil *Response with a nil errortls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificaterefusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxyx509: a root or intermediate certificate is not authorized to sign for this name: (possibly because of %q while trying to verify candidate authority certificate %q)Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)x509: issuer has name constraints but leaf contains unknown or unconstrained name: tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodx509: failed to parse private key (use ParseECPrivateKey instead for this key format)Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: fxfzUc6gtMGc/i26ld3KydGKy1k7QqyMMyxjbU1Rlk+F9LQxnaTeCHGHsDUpaBeOWDeY6l+2kHlB7EWTLcGwfg==whv+Kf1cEtOXzr+zuvmef2as0WfbUDm8l2LMWBMel10NDnbShg9CsMUt327VJhOTbXLoPYJVTKy8MBPCVwoT8A==x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%qapplication/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromisedssh<<RMS>> equals www.yahoo.com (Yahoo)

Source: linux_mips64el.elf	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)x509:
Source: linux_mips64el.elf	String found in binary or memory: http://search.msn.com/msnbot.htm
Source: linux_mips64el.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: linux_mips64el.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
Source: linux_mips64el.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)Mozilla/5.0
Source: linux_mips64el.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)http2:
Source: linux_mips64el.elf	String found in binary or memory: http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
Source: linux_mips64el.elf	String found in binary or memory: http://www.google.com/mobile/adsbot.html)
Source: linux_mips64el.elf	String found in binary or memory: http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
Source: linux_mips64el.elf	String found in binary or memory: http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
Source: linux_mips64el.elf	String found in binary or memory: http://www.youdao.com/help/webmaster/spider/;)reflect:
Source: linux_mips64el.elf	String found in binary or memory: http://yandex.com/bots)http:
Source: linux_mips64el.elf	String found in binary or memory: https://search.yahoo.com/search?p=illegal
Source: linux_mips64el.elf	String found in binary or memory: https://www.baidu.com/s?wd=insufficient
Source: linux_mips64el.elf	String found in binary or memory: https://www.so.com/s?q=index

System Summary

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.troj.linELF@0/6@0/0

Source: ELF file section

Submission: linux_mips64el.elf

Malware Analysis System Evasion

Source: /tmp/linux_mips64el.elf (PID: 5531)

Queries kernel information via 'uname':

Jump to behavior

Source: linux_mips64el.elf, 5531.1.00007ffefacfe000.00007ffefad1f000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips64el
Source: linux_mips64el.elf, 5531.1.00007ffefacfe000.00007ffefad1f000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips64el/tmp/linux_mips64el.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/linux_mips64el.elf
Source: linux_mips64el.elf, 5531.1.0000564964d3a000.00005649650af000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips64el
Source: linux_mips64el.elf, 5531.1.0000564964d3a000.00005649650af000.rw-.sdmp	Binary or memory string: dIV1MIPS64R2-generic-mips64-cpu1/etc/qemu-binfmt/mips64elu

Stealing of Sensitive Information

Source: Yara match

File source: linux_mips64el.elf, type: SAMPLE

Remote Access Functionality

Source: Yara match

File source: linux_mips64el.elf, type: SAMPLE