Linux Analysis Report
xd.arm7.elf

Overview

General Information

Sample name:	xd.arm7.elf
Analysis ID:	1669055
MD5:	9d901409865a22d0578788bd58250e19
SHA1:	77a3bf98ecc1c1a796446bc7382a21261175c377
SHA256:	53cd3e0f57e4da5638cba9961a5b49fae5207bc2918f42dbeec09ad9ddc5f1a3
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes the "rm" command used to delete files or directories

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: xd.arm7.elf	Virustotal: Detection: 39%			Perma Link
Source: xd.arm7.elf	ReversingLabs: Detection: 44%

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:60828 -> 209.141.33.93:5538

Sample listens on a socket

Source: /tmp/xd.arm7.elf (PID: 6212)

Socket: 192.168.2.23:9473

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93

Source: xd.arm7.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 39246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39246
Source: unknown	Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6212.1.00007fa498017000.00007fa498029000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: xd.arm7.elf PID: 6212, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Yara signature match

Source: 6212.1.00007fa498017000.00007fa498029000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: xd.arm7.elf PID: 6212, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal60.evad.linELF@0/51@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Creates hidden files and/or directories

Source: /usr/sbin/logrotate (PID: 6263)	Directory: //.	Jump to behavior
Source: /usr/bin/find (PID: 6311)	Directory: //.	Jump to behavior
Source: /usr/bin/mandb (PID: 6326)	Directory: /var/cache/man/.manpath	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6342)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.qITcp3Q12J /tmp/tmp.O175aKJtiZ /tmp/tmp.FujIj6PsPc			Jump to behavior
Source: /usr/bin/dash (PID: 6343)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.qITcp3Q12J /tmp/tmp.O175aKJtiZ /tmp/tmp.FujIj6PsPc			Jump to behavior

ELF contains segments with high entropy indicating compressed/encrypted content

Source: xd.arm7.elf

Submission file: segment LOAD with 7.9522 entropy (max. 8.0)

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/xd.arm7.elf (PID: 6212)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/find (PID: 6311)	Queries kernel information via 'uname':			Jump to behavior

Source: 6326.21.dr	Binary or memory string: -9915837702310A--gzvmware kernel module
Source: 6326.21.dr	Binary or memory string: -1116261022170A--gzQEMU User Emulator
Source: 6326.21.dr	Binary or memory string: qemu-or1k
Source: 6326.21.dr	Binary or memory string: qemu-riscv64
Source: 6326.21.dr	Binary or memory string: {cqemu
Source: 6326.21.dr	Binary or memory string: qemu-arm
Source: xd.arm7.elf, 6212.1.00007ffd4e065000.00007ffd4e086000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/xd.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/xd.arm7.elf
Source: 6326.21.dr	Binary or memory string: (qemu
Source: 6326.21.dr	Binary or memory string: qemu-tilegx
Source: 6326.21.dr	Binary or memory string: qemu-hppa
Source: 6326.21.dr	Binary or memory string: q{rqemu%
Source: 6326.21.dr	Binary or memory string: )qemu
Source: 6326.21.dr	Binary or memory string: vmware-toolbox-cmd
Source: 6326.21.dr	Binary or memory string: qemu-ppc
Source: 6326.21.dr	Binary or memory string: Tqemu9
Source: 6326.21.dr	Binary or memory string: qemu-aarch64_be
Source: 6326.21.dr	Binary or memory string: 0qemu9
Source: 6326.21.dr	Binary or memory string: qemu-sparc64
Source: 6326.21.dr	Binary or memory string: qemu-mips64
Source: 6326.21.dr	Binary or memory string: vV:qemu9
Source: 6326.21.dr	Binary or memory string: qemu-ppc64le
Source: 6326.21.dr	Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
Source: 6326.21.dr	Binary or memory string: vmware
Source: 6326.21.dr	Binary or memory string: qemu-cris
Source: 6326.21.dr	Binary or memory string: libvmtools
Source: 6326.21.dr	Binary or memory string: qemu-m68k
Source: 6326.21.dr	Binary or memory string: qemu-xtensa
Source: 6326.21.dr	Binary or memory string: 9qemu
Source: 6326.21.dr	Binary or memory string: qemu-sh4
Source: 6326.21.dr	Binary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
Source: xd.arm7.elf, 6212.1.000055fa01fd0000.000055fa0219e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 6326.21.dr	Binary or memory string: .qemu{
Source: 6326.21.dr	Binary or memory string: qemu-ppc64abi32
Source: 6326.21.dr	Binary or memory string: qemu-ppc64
Source: 6326.21.dr	Binary or memory string: qemu-i386
Source: 6326.21.dr	Binary or memory string: qemu-x86_64
Source: 6326.21.dr	Binary or memory string: H~6\nqemu*q
Source: 6326.21.dr	Binary or memory string: @qemu
Source: 6326.21.dr	Binary or memory string: Fqqemu
Source: xd.arm7.elf, 6212.1.000055fa01fd0000.000055fa0219e000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: 6326.21.dr	Binary or memory string: N4qemu
Source: 6326.21.dr	Binary or memory string: ~6\nqemu*q
Source: 6326.21.dr	Binary or memory string: qemu-mips64el
Source: 6326.21.dr	Binary or memory string: hqemu
Source: 6326.21.dr	Binary or memory string: &mqemu
Source: 6326.21.dr	Binary or memory string: $qemu
Source: 6326.21.dr	Binary or memory string: qemu-sparc
Source: 6326.21.dr	Binary or memory string: qemu-microblaze
Source: 6326.21.dr	Binary or memory string: qemu-user
Source: 6326.21.dr	Binary or memory string: qemu-aarch64
Source: 6326.21.dr	Binary or memory string: qemu-sh4eb
Source: 6326.21.dr	Binary or memory string: iqemu
Source: 6326.21.dr	Binary or memory string: qemu-mipsel
Source: 6326.21.dr	Binary or memory string: qemuP`
Source: 6326.21.dr	Binary or memory string: qemu-alpha
Source: 6326.21.dr	Binary or memory string: qemu-microblazeel
Source: 6326.21.dr	Binary or memory string: \qemu
Source: 6326.21.dr	Binary or memory string: qemu-xtensaeb
Source: 6326.21.dr	Binary or memory string: qemu-mipsn32el
Source: 6326.21.dr	Binary or memory string: SAqemu
Source: 6326.21.dr	Binary or memory string: Vqemu
Source: 6326.21.dr	Binary or memory string: qemu-mipsn32
Source: 6326.21.dr	Binary or memory string: qemuAU
Source: 6326.21.dr	Binary or memory string: qemu-riscv32
Source: 6326.21.dr	Binary or memory string: qemu-sparc32plus
Source: 6326.21.dr	Binary or memory string: 7,qemu
Source: 6326.21.dr	Binary or memory string: qemu-s390x
Source: 6326.21.dr	Binary or memory string: vmware-checkvm
Source: 6326.21.dr	Binary or memory string: qemu-nios2
Source: 6326.21.dr	Binary or memory string: qemu-armeb
Source: 6326.21.dr	Binary or memory string: -4415868968400A--gzVMware SVGA video driver
Source: 6326.21.dr	Binary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
Source: 6326.21.dr	Binary or memory string: I_qemu
Source: xd.arm7.elf, 6212.1.00007ffd4e065000.00007ffd4e086000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: 6326.21.dr	Binary or memory string: -1116261022170B--gzQEMU User Emulator
Source: 6326.21.dr	Binary or memory string: -3315837702310A--gzvmware shared library
Source: 6326.21.dr	Binary or memory string: qemu-mips
Source: 6326.21.dr	Binary or memory string: qemuj\
Source: 6326.21.dr	Binary or memory string: {qemuQ&
Source: 6326.21.dr	Binary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
Source: 6326.21.dr	Binary or memory string: vmware-xferlogs

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
209.141.33.93	unknown	United States	53667	PONYNETUS	false
34.249.145.219	unknown	United States	16509	AMAZON-02US	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Name	Type	MD5	SHA1	SHA256
/var/cache/man/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	0C99179B6C5CFE82203424AD7DAD0D8F	CAC50B64B1352723FF8F58BB1B103B93C396539B	CEC6859D12C6A981ACA4D7C88F6E62E9616FB4D765C4A52147A7DA7BAD4F2420
/var/cache/man/cs/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	D0CA2EBA9E7A17D4680AA9DDC5F88946	270F443EFF85209052AE8FFA86660AFB0FAAD39B	9504DC65F8B4E057D0939FA3B2C640FC703D0290EE19381836BAA5EB3EFBADBD
/var/cache/man/cs/index.db.nDpyzz	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/da/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	4DF08004EE4C5384C02376841F2B50BC	C02E58212CA012913390B4C1CCD64DD3353009EE	F4D6A62A734E2844B99F3AD0EB480373AFBE56B29C0CFC9C70D9DFDF19D95C02
/var/cache/man/da/index.db.xTR9zz	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/de/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	1CEFC8C8A00D0341CD46EC5E8C985248	47D6E8828D7A05EE5A2BA4AED0CEBE7585824850	55F6D32AD8B555D803FADDF93538D6DFEFC55FFEEC3A6D26C254F72C5C5621C7
/var/cache/man/de/index.db.301NZw	GNU dbm 1.x or ndbm database, little endian, 64-bit	55880A8B73FD160B73198E09A21C83DB	5EB780702D2501747AF46F7525EF5C635EC5E64C	66BD4C98AF40E2E208AC102ACD0F555A6C118E7258D91B833BE1D53EBFFB7BBB
/var/cache/man/es/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	3DBF4FF017D406F407BFBC2011BCAE9E	FF64864ACA18DFA7869715CE8AA5ECC3DABA54B6	640C040F364061A5825E913682798C9BC8E1081088894D3FEB2C3EC39D02A379
/var/cache/man/es/index.db.v2s7Nv	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/fi/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	09F6ED1A60B8A4203EA97CF5926C6AFF	C28F4E393D55AD057E3C7608741904B796F67076	56664D61D0BB8BF34CCA28C73CB314CB73EA1C4FAC64D2208B43F63C009FC855
/var/cache/man/fi/index.db.2Wpngw	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/fr.ISO8859-1/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	43ADE2E40B8B5A0DFA0A155FC9A02F7F	3D04BDFFD0E2A8433150C87D334014099336A5C5	81E48EE4653A5E6F25C33133F24F045EB1EB2CC6724ECE0C5336612AB711273E
/var/cache/man/fr.ISO8859-1/index.db.ITGL0w	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/fr.UTF-8/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	43ADE2E40B8B5A0DFA0A155FC9A02F7F	3D04BDFFD0E2A8433150C87D334014099336A5C5	81E48EE4653A5E6F25C33133F24F045EB1EB2CC6724ECE0C5336612AB711273E
/var/cache/man/fr.UTF-8/index.db.6LWx5x	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/fr/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	50E7C5D1FE132EA6BE2B7163CC0D55EA	228672C402B25717257642BAB9D4F548115B24C5	7CDFCD9D8DEA44D9E71CC1762CB60ECF8F5234908974B3AC8C074D27E8022A4F
/var/cache/man/fr/index.db.namXjw	GNU dbm 1.x or ndbm database, little endian, 64-bit	425CB57CD9B42556C8089FE7A7A3E495	4F33F9A9897218FDED958FD8F8D7AF7CD8BC48F3	85E01EFF2AC0C83C827E118D5CE2CD1E1A19E059688B6E0D09CB3CC131F065D3
/var/cache/man/hu/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	18F02B57872A97DE1E82FF5348A5AF1B	52F332343B120B1C950AC02B3C923556C70DC62A	5C605DE68B3E05754698485F73413F4052AEA8C3AAE6012AC6416B3B6B056DF7
/var/cache/man/hu/index.db.iAJ40x	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/id/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	3AFDA1B0F729816929FF7A6628D776D5	5982940A5782F11AEB5BF859C055DE3FEFBDF5DB	77809D5F38F6D96A2E8BA9BE0DFBB16C10B6B1FF7D2BA1DD5FB9437F73C47E7F
/var/cache/man/id/index.db.0p8Lbx	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/index.db.cjc7Rx	GNU dbm 1.x or ndbm database, little endian, 64-bit	2E442DBA85DEDFDCB07090FDF9DE90D0	02658086E93854D13D82B1F0D80F4B78D26DCA51	62406BFE7657964E490DE65A0007F7C1D59B62B2B9AD35BA55BA219673378848
/var/cache/man/it/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	B228DE097081AF360D337CF8C8FF2C6F	7DD2C4640925B225F98014566F73C35F4E960940	1056CECADA78542B173EE469C9BEAF61F81298EBBD21B54EA6EE449028E18B3F
/var/cache/man/it/index.db.KnKoFw	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/ja/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	D3CD7D67F8155491493BB7235FB9AA57	5A7AE62A7AFE50EFCCED06CBD56AE2A0A284EFF3	6958349ECA637F99AABC419B5E402CFB50BC5B8867F31BCB67F064F47A209929
/var/cache/man/ja/index.db.GgPChx	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/ko/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	FBA25855E1C99D8F87E8AC13E2E2ECB1	D99351AC40D6CC4C9BE54E0E018C44A9A88983D7	C0E18ED1CEFF427FD4D57D1B79CE1AF7320AC8453BAF8A0349C08267464C4D71
/var/cache/man/ko/index.db.H0549y	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/nl/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	27FED1CA8EB0101C459D9A617C833293	503B2A3E33FE79FF2CD58F831ED33DB358849BEA	C3033C4F7CF0D6108611EF5A62CA893F98EE6463DDCFF7100D3BAFDEB0036D9E
/var/cache/man/nl/index.db.iLmqXw	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/pl/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	37CEBCD3F5BF6322785FFF568EE33131	201298C827C77C60CD314BF721DC4C27EF95BD64	012C5597C5DD8654EB14432AFCEFD9B131F2CE75AD21488991A5A688929AAEA6
/var/cache/man/pl/index.db.BJXk4z	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/pt/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	782FF89B6FA5932F7019AF9CF3F82E43	2ECE8DC134E3A292E2545AA2DCD24114A5FC5749	01E77D9235C524F2A61EA03953607C13831C391A5B9AB0D9094F9C38F0EEB02E
/var/cache/man/pt/index.db.KUuGGz	GNU dbm 1.x or ndbm database, little endian, 64-bit	F0B902DEA5EF122A0B1F0F496DDC781B	90176D320A9C3601787D53CC346DC743367D53F1	CFD64D42263C5D323AF423FC09CDB5DDB2F914114B87BAB6566EAB1020F15DE0
/var/cache/man/pt_BR/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	A11F5E85A2A07AF84255570AE29318FB	D06BF25E5FD4A17BCF7C5BD77ACD747F0FE181E8	8FFA8BC408B254217275A622D054853CB72B08409A11AA49C4C664C0DABFB62F
/var/cache/man/pt_BR/index.db.0qNhDw	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/ru/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	DF5C1114538C5D8EA1EE929FFAC24E3C	B6331AF77566B63EA8204BE85F5DC99FAF51479E	F238C75DAD82E10AB011A9BF79775B2A5F5889644A5A06835933340845A08555
/var/cache/man/ru/index.db.dc8LLx	GNU dbm 1.x or ndbm database, little endian, 64-bit	5B66CE03BFE548DEE335E0518E4E0554	65397845DC679AA972454B0FF237A513C0F490CB	C38BB21B1D92166794DC09807C9A55B67B0A760C684FEEDD0C931F8415DD6D29
/var/cache/man/sl/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	67697BEA7C23E4805A82FE9755BB3CAE	14ACAFF0BECBDB116E4C0BC329E59DEF68CF46D1	553DA7FF76999B7CCC4450498B11E6BD98B3B1E5FF81D82A53568F84B0D270D5
/var/cache/man/sl/index.db.YAItew	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/sr/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	0DD75ECC81E4E564EA56A57FF32A24D3	859C0FE5F86A2C5A32BAD7920787BE845F34C4FB	DB778B175D19DEFA4180D0B12D675AD0B8B22CC4BB77702D9EC8510F894EB3B1
/var/cache/man/sr/index.db.sVLTCx	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/sv/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	D97454D6B1F39F39966A809BCA3D9647	276931CED8F34B7651C1BDFC8522FF0560E2C377	DCB8CE7F4F21595D851100F315C56B717541DB898AEB9ED9C0CCC9FF217A5801
/var/cache/man/sv/index.db.IyLb6w	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/tr/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	5F905B930E7310E72BC3DF5C50F8E579	50B1AD3115F095C743CB26F87ECCE406FAC3523B	1DB72BA77CA01F25CA9768999825D8F97F5ED4D00E17C9130D6F7CDE34130270
/var/cache/man/tr/index.db.AZUgCy	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/zh_CN/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	39398A15564A55EB7BFE895D7668A5A3	28DA677435B87176E08AFABBF8B51F7B93E22948	A4C0216476E357ED3A23E71333DBE7DE91E04370EF049032EE8E47BB1EDBD83B
/var/cache/man/zh_CN/index.db.bQIkOw	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/cache/man/zh_TW/6326	GNU dbm 1.x or ndbm database, little endian, 64-bit	1FC5F2B98E5BC25B10373353D91B86B1	D848DA35B0731328195D59C1E996B95C4952F1F9	509FAD18B4454CD70D974755F6156D4A5FA9B960AB9FF468D1FC350F0B64F379
/var/cache/man/zh_TW/index.db.LVddUx	GNU dbm 1.x or ndbm database, little endian, 64-bit	EE429C7E8B222AFF73C611A8C358B661	DA353E80DCF1195F259CCBC32D39F5923710453F	BDAAC26D90701E063943763B7CBD9204B6F0007C6F1BCA3C7B4FE3B09CDF6091
/var/lib/logrotate/status.tmp	ASCII text	77441094BFA5098A9279BCDA457DFB2B	542EDB451C68EE2BFAEF4DEAE2F1469B08361232	957401802152D830D6B92B9ECD022377F91C45E362ACA35F5B94FBFFB7A2EB4F

AV Detection

Multi AV Scanner detection for submitted file

Source: xd.arm7.elf	Virustotal: Detection: 39%			Perma Link
Source: xd.arm7.elf	ReversingLabs: Detection: 44%

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:60828 -> 209.141.33.93:5538

Sample listens on a socket

Source: /tmp/xd.arm7.elf (PID: 6212)

Socket: 192.168.2.23:9473

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknown	TCP traffic detected without corresponding DNS query: 209.141.33.93

Source: xd.arm7.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 39246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39246
Source: unknown	Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6212.1.00007fa498017000.00007fa498029000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: xd.arm7.elf PID: 6212, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8000

Yara signature match

Source: 6212.1.00007fa498017000.00007fa498029000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: xd.arm7.elf PID: 6212, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal60.evad.linELF@0/51@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Creates hidden files and/or directories

Source: /usr/sbin/logrotate (PID: 6263)	Directory: //.	Jump to behavior
Source: /usr/bin/find (PID: 6311)	Directory: //.	Jump to behavior
Source: /usr/bin/mandb (PID: 6326)	Directory: /var/cache/man/.manpath	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6342)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.qITcp3Q12J /tmp/tmp.O175aKJtiZ /tmp/tmp.FujIj6PsPc			Jump to behavior
Source: /usr/bin/dash (PID: 6343)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.qITcp3Q12J /tmp/tmp.O175aKJtiZ /tmp/tmp.FujIj6PsPc			Jump to behavior

ELF contains segments with high entropy indicating compressed/encrypted content

Source: xd.arm7.elf

Submission file: segment LOAD with 7.9522 entropy (max. 8.0)

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/xd.arm7.elf (PID: 6212)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/bin/find (PID: 6311)	Queries kernel information via 'uname':			Jump to behavior

Source: 6326.21.dr	Binary or memory string: -9915837702310A--gzvmware kernel module
Source: 6326.21.dr	Binary or memory string: -1116261022170A--gzQEMU User Emulator
Source: 6326.21.dr	Binary or memory string: qemu-or1k
Source: 6326.21.dr	Binary or memory string: qemu-riscv64
Source: 6326.21.dr	Binary or memory string: {cqemu
Source: 6326.21.dr	Binary or memory string: qemu-arm
Source: xd.arm7.elf, 6212.1.00007ffd4e065000.00007ffd4e086000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/xd.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/xd.arm7.elf
Source: 6326.21.dr	Binary or memory string: (qemu
Source: 6326.21.dr	Binary or memory string: qemu-tilegx
Source: 6326.21.dr	Binary or memory string: qemu-hppa
Source: 6326.21.dr	Binary or memory string: q{rqemu%
Source: 6326.21.dr	Binary or memory string: )qemu
Source: 6326.21.dr	Binary or memory string: vmware-toolbox-cmd
Source: 6326.21.dr	Binary or memory string: qemu-ppc
Source: 6326.21.dr	Binary or memory string: Tqemu9
Source: 6326.21.dr	Binary or memory string: qemu-aarch64_be
Source: 6326.21.dr	Binary or memory string: 0qemu9
Source: 6326.21.dr	Binary or memory string: qemu-sparc64
Source: 6326.21.dr	Binary or memory string: qemu-mips64
Source: 6326.21.dr	Binary or memory string: vV:qemu9
Source: 6326.21.dr	Binary or memory string: qemu-ppc64le
Source: 6326.21.dr	Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
Source: 6326.21.dr	Binary or memory string: vmware
Source: 6326.21.dr	Binary or memory string: qemu-cris
Source: 6326.21.dr	Binary or memory string: libvmtools
Source: 6326.21.dr	Binary or memory string: qemu-m68k
Source: 6326.21.dr	Binary or memory string: qemu-xtensa
Source: 6326.21.dr	Binary or memory string: 9qemu
Source: 6326.21.dr	Binary or memory string: qemu-sh4
Source: 6326.21.dr	Binary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
Source: xd.arm7.elf, 6212.1.000055fa01fd0000.000055fa0219e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 6326.21.dr	Binary or memory string: .qemu{
Source: 6326.21.dr	Binary or memory string: qemu-ppc64abi32
Source: 6326.21.dr	Binary or memory string: qemu-ppc64
Source: 6326.21.dr	Binary or memory string: qemu-i386
Source: 6326.21.dr	Binary or memory string: qemu-x86_64
Source: 6326.21.dr	Binary or memory string: H~6\nqemu*q
Source: 6326.21.dr	Binary or memory string: @qemu
Source: 6326.21.dr	Binary or memory string: Fqqemu
Source: xd.arm7.elf, 6212.1.000055fa01fd0000.000055fa0219e000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: 6326.21.dr	Binary or memory string: N4qemu
Source: 6326.21.dr	Binary or memory string: ~6\nqemu*q
Source: 6326.21.dr	Binary or memory string: qemu-mips64el
Source: 6326.21.dr	Binary or memory string: hqemu
Source: 6326.21.dr	Binary or memory string: &mqemu
Source: 6326.21.dr	Binary or memory string: $qemu
Source: 6326.21.dr	Binary or memory string: qemu-sparc
Source: 6326.21.dr	Binary or memory string: qemu-microblaze
Source: 6326.21.dr	Binary or memory string: qemu-user
Source: 6326.21.dr	Binary or memory string: qemu-aarch64
Source: 6326.21.dr	Binary or memory string: qemu-sh4eb
Source: 6326.21.dr	Binary or memory string: iqemu
Source: 6326.21.dr	Binary or memory string: qemu-mipsel
Source: 6326.21.dr	Binary or memory string: qemuP`
Source: 6326.21.dr	Binary or memory string: qemu-alpha
Source: 6326.21.dr	Binary or memory string: qemu-microblazeel
Source: 6326.21.dr	Binary or memory string: \qemu
Source: 6326.21.dr	Binary or memory string: qemu-xtensaeb
Source: 6326.21.dr	Binary or memory string: qemu-mipsn32el
Source: 6326.21.dr	Binary or memory string: SAqemu
Source: 6326.21.dr	Binary or memory string: Vqemu
Source: 6326.21.dr	Binary or memory string: qemu-mipsn32
Source: 6326.21.dr	Binary or memory string: qemuAU
Source: 6326.21.dr	Binary or memory string: qemu-riscv32
Source: 6326.21.dr	Binary or memory string: qemu-sparc32plus
Source: 6326.21.dr	Binary or memory string: 7,qemu
Source: 6326.21.dr	Binary or memory string: qemu-s390x
Source: 6326.21.dr	Binary or memory string: vmware-checkvm
Source: 6326.21.dr	Binary or memory string: qemu-nios2
Source: 6326.21.dr	Binary or memory string: qemu-armeb
Source: 6326.21.dr	Binary or memory string: -4415868968400A--gzVMware SVGA video driver
Source: 6326.21.dr	Binary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
Source: 6326.21.dr	Binary or memory string: I_qemu
Source: xd.arm7.elf, 6212.1.00007ffd4e065000.00007ffd4e086000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: 6326.21.dr	Binary or memory string: -1116261022170B--gzQEMU User Emulator
Source: 6326.21.dr	Binary or memory string: -3315837702310A--gzvmware shared library
Source: 6326.21.dr	Binary or memory string: qemu-mips
Source: 6326.21.dr	Binary or memory string: qemuj\
Source: 6326.21.dr	Binary or memory string: {qemuQ&
Source: 6326.21.dr	Binary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
Source: 6326.21.dr	Binary or memory string: vmware-xferlogs

ID:	1669055
Product:	CloudBasic
Start time:	06:58:29
Start date:	19.04.2025
Sample:	xd.arm7.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	9d901409865a22d0578788bd58250e19
SHA1:	77a3bf98ecc1c1a796446bc7382a21261175c377
SHA256:	53cd3e0f57e4da5638cba9961a5b49fae5207bc2918f42dbeec09ad9ddc5f1a3
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
xd.arm7.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report xd.arm7.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Network Map

Contacted Public IPs

Linux Analysis Report
xd.arm7.elf