Monday, April 18, 2022

, , , , , , , , ,

VirusTotal Multisandbox+= ELF DIGEST

VirusTotal welcomes ELF DIGEST, the first integrated multi-sandox fully dedicated to only processing linux files. This addition helps put the spotlight on linux malware.

In the words of the founder Tolijan Trajanovski:

ELF DIGEST is a cloud-based Linux malware analysis service provided to security researchers, analysts, and academics. The service performs static, behavioral, and network analysis to extract IoCs and IoAs. The static analysis searches for IoCs in the strings and may also identify obfuscation in the form of string encoding and executable packing. The behavioral analysis can recognize various malicious actions, including VM detection, anti-debugging, persistence, process injection, loading of kernel modules, firewall configuration changes, and others. The network analysis can identify C2 endpoints, resolved domains, HTTP requests, and port scanning. In addition, ELF DIGEST utilizes the open-source malware labeling tool AvClass to determine the most probable malware family the analyzed sample belongs to. The currently supported CPU architectures include ARMv5, ARMv7, MIPS, x86 and x86_64. The detailed findings of the analysis are presented in an aggregated view and can be also downloaded as a JSON report.

Let's take a deeper dive on some samples:

Botnet on ARM with iptables kernel modules

This sample is part of the Mirai botnet. At the top of the report we can see the network communication, possibly the command and control server.


In the shell commands we can observe the iptables firewall stopped and tables flushed. This would allow the malware to communicate without the firewall obstructing it.

The linux kernel modules being loaded, which are most likely related to the iptables command line interactions.

We can explore other pivots either on the relationships tab, or within VirusTotal Graph. Here we can see more details with respect to the command and control infrastructure as well as relations to other files, URL, and IPs.

Mozi botnet with bittorrent

Within this sample we see DNS resolutions to common bittorrent trackers and traffic on common bittorrent port 6881.

In the HTTP requests section, scanning for other vulnerable devices on the internet

Using a file search modifier we can find similar samples that perform the same request. behaviour_network:"boaform/admin"

ELF DIGEST, uploads the PCAP network traffic capture. When sandboxes or users upload PCAPs to VirusTotal, we analyze them with snort and suricata, using rules from community contributors.

Other Interesting samples to have a look at:

ELF DIGEST is a great addition to VirusTotal, and will help further shine the spotlight on linux malware. Happy Hunting!


Post a Comment