Linux Analysis Report
xd.x86.elf

Overview

General Information

Sample name: xd.x86.elf
Analysis ID: 1669035
MD5: 924aa5c4d04108f30f487aa3d71424fd
SHA1: d5ff6d30f2e7e573427a619c6ca052de3318059a
SHA256: 6e913e519b174fd6f62fd421733d55af85d8389baaf7a1b4e0c8d88175abdf03
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 60
Range: 0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: xd.x86.elf ReversingLabs: Detection: 50%
Source: xd.x86.elf Virustotal: Detection: 42% Perma Link
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:37808 -> 209.141.33.93:5538
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: xd.x86.elf String found in binary or memory: http://upx.sf.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0xc01000
Yara signature match
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5441.1.0000000008048000.0000000008053000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: classification engine Classification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
ELF contains segments with high entropy indicating compressed/encrypted content
Source: xd.x86.elf Submission file: segment LOAD with 7.8649 entropy (max. 8.0)
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
209.141.33.93
 unknown United States
53667 PONYNETUS false