Linux Analysis Report
res.arc.elf

Overview

General Information

Sample name:	res.arc.elf
Analysis ID:	1592289
MD5:	0c3081e9b4419cad6d6030711af33470
SHA1:	53b6232be50ce7f134ed0ae7cd88de1e90b02c89
SHA256:	8c691db519531411ec36e92ee90dc810b99a918442f774162f85a3b9486e689a
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: res.arc.elf	Virustotal: Detection: 28%			Perma Link
Source: res.arc.elf	ReversingLabs: Detection: 36%

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@2/0

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 5468)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.T4qkq2sBUj /tmp/tmp.GJ3lDjyzWj /tmp/tmp.VLf1183ky7			Jump to behavior
Source: /usr/bin/dash (PID: 5469)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.T4qkq2sBUj /tmp/tmp.GJ3lDjyzWj /tmp/tmp.VLf1183ky7			Jump to behavior

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	162.213.35.24	true

ID:	1592289
Product:	CloudBasic
Start time:	00:47:10
Start date:	16.01.2025
Sample:	res.arc.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	0c3081e9b4419cad6d6030711af33470
SHA1:	53b6232be50ce7f134ed0ae7cd88de1e90b02c89
SHA256:	8c691db519531411ec36e92ee90dc810b99a918442f774162f85a3b9486e689a
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
res.arc.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report res.arc.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
res.arc.elf