-
Notifications
You must be signed in to change notification settings - Fork 494
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False error report for IoT Malware #1402
Comments
readelf for the input file: readelf -a 677af86345498bb922bf039612027c313b033430f26dd7dc40cd89a70c148350 ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x1078b8 Start of program headers: 64 (bytes into file) Start of section headers: 0 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 3 Size of section headers: 64 (bytes) Number of section headers: 0 (64) Section header string table index: 0 readelf: Warning: Section 1 has an out of range sh_link value of 35316 readelf: Warning: Section 2 has an out of range sh_link value of 4096 readelf: Warning: Section 3 has an out of range sh_link value of 2690402161 readelf: Warning: Section 4 has an out of range sh_link value of 3664425689 readelf: Warning: Section 5 has an out of range sh_link value of 402653513 readelf: Warning: Section 6 has an out of range sh_link value of 655040459 readelf: Warning: Section 6 has an out of range sh_info value of 2900630327 readelf: Warning: Section 7 has an out of range sh_link value of 3859355277 readelf: Warning: Section 8 has an out of range sh_link value of 2955187667 readelf: Warning: Section 8 has an out of range sh_info value of 4249781182 readelf: Warning: Section 9 has an out of range sh_link value of 1167071865 readelf: Warning: Section 9 has an out of range sh_info value of 2260283467 readelf: Warning: Section 10 has an out of range sh_link value of 2194248428 readelf: Warning: Section 10 has an out of range sh_info value of 2174007906 readelf: Warning: Section 11 has an out of range sh_link value of 1824668075 readelf: Warning: Section 11 has an out of range sh_info value of 51518637 readelf: Warning: Section 12 has an out of range sh_link value of 1271563492 readelf: Warning: Section 13 has an out of range sh_link value of 858802080 readelf: Warning: Section 14 has an out of range sh_link value of 1928825447 readelf: Warning: Section 14 has an out of range sh_info value of 341828575 readelf: Warning: Section 15 has an out of range sh_link value of 4131397949 readelf: Warning: Section 15 has an out of range sh_info value of 1207491955 readelf: Warning: Section 16 has an out of range sh_link value of 1861659953 readelf: Warning: Section 17 has an out of range sh_link value of 2346387413 readelf: Warning: Section 17 has an out of range sh_info value of 4003148455 readelf: Warning: Section 18 has an out of range sh_link value of 3512625301 readelf: Warning: Section 18 has an out of range sh_info value of 3601188898 readelf: Warning: Section 19 has an out of range sh_link value of 1316465299 readelf: Warning: Section 19 has an out of range sh_info value of 1554546411 readelf: Warning: Section 20 has an out of range sh_link value of 3330241829 readelf: Warning: Section 20 has an out of range sh_info value of 181360349 readelf: Warning: Section 21 has an out of range sh_link value of 2068090310 readelf: Warning: Section 22 has an out of range sh_link value of 3041250821 readelf: Warning: Section 23 has an out of range sh_link value of 4202820309 readelf: Warning: Section 24 has an out of range sh_link value of 750376870 readelf: Warning: Section 25 has an out of range sh_link value of 298136863 readelf: Warning: Section 26 has an out of range sh_link value of 1810420453 readelf: Warning: Section 26 has an out of range sh_info value of 3791290488 readelf: Warning: Section 27 has an out of range sh_link value of 1650520662 readelf: Warning: Section 27 has an out of range sh_info value of 132284865 readelf: Warning: Section 28 has an out of range sh_link value of 1362291558 readelf: Warning: Section 28 has an out of range sh_info value of 2109541561 readelf: Warning: Section 29 has an out of range sh_link value of 1136030517 readelf: Warning: Section 29 has an out of range sh_info value of 2179792165 readelf: Warning: Section 30 has an out of range sh_link value of 2864118859 readelf: Warning: Section 30 has an out of range sh_info value of 2391974129 readelf: Warning: Section 31 has an out of range sh_link value of 3051757111 readelf: Warning: Section 31 has an out of range sh_info value of 1630849670 readelf: Warning: Section 32 has an out of range sh_link value of 1307566630 readelf: Warning: Section 33 has an out of range sh_link value of 1566613909 readelf: Warning: Section 34 has an out of range sh_link value of 3335171648 readelf: Warning: Section 34 has an out of range sh_info value of 3743311620 readelf: Warning: Section 35 has an out of range sh_link value of 390473681 readelf: Warning: Section 36 has an out of range sh_link value of 2990471035 readelf: Warning: Section 37 has an out of range sh_link value of 1900312966 readelf: Warning: Section 37 has an out of range sh_info value of 1063476612 readelf: Warning: Section 38 has an out of range sh_link value of 1130863239 readelf: Warning: Section 38 has an out of range sh_info value of 3750657381 readelf: Warning: Section 39 has an out of range sh_link value of 1625056560 readelf: Warning: Section 39 has an out of range sh_info value of 2664132399 readelf: Warning: Section 40 has an out of range sh_link value of 1659232576 readelf: Warning: Section 40 has an out of range sh_info value of 150014255 readelf: Warning: Section 41 has an out of range sh_link value of 816390592 readelf: Warning: Section 42 has an out of range sh_link value of 3123577714 readelf: Warning: Section 43 has an out of range sh_link value of 759773024 readelf: Warning: Section 43 has an out of range sh_info value of 1961424870 readelf: Warning: Section 44 has an out of range sh_link value of 3051001694 readelf: Warning: Section 44 has an out of range sh_info value of 4161035276 readelf: Warning: Section 45 has an out of range sh_link value of 2252698922 readelf: Warning: Section 46 has an out of range sh_link value of 899029099 readelf: Warning: Section 46 has an out of range sh_info value of 2277552764 readelf: Warning: Section 47 has an out of range sh_link value of 1507422589 readelf: Warning: Section 48 has an out of range sh_link value of 3253992830 readelf: Warning: Section 48 has an out of range sh_info value of 1059216683 readelf: Warning: Section 49 has an out of range sh_link value of 3113335684 readelf: Warning: Section 50 has an out of range sh_link value of 3184936145 readelf: Warning: Section 50 has an out of range sh_info value of 3704378892 readelf: Warning: Section 51 has an out of range sh_link value of 2166079142 readelf: Warning: Section 52 has an out of range sh_link value of 956155412 readelf: Warning: Section 52 has an out of range sh_info value of 810604699 readelf: Warning: Section 53 has an out of range sh_link value of 1829392346 readelf: Warning: Section 53 has an out of range sh_info value of 4184108334 readelf: Warning: Section 54 has an out of range sh_link value of 4105186470 readelf: Warning: Section 55 has an out of range sh_link value of 33614202 readelf: Warning: Section 55 has an out of range sh_info value of 2455073876 readelf: Warning: Section 56 has an out of range sh_link value of 513758728 readelf: Warning: Section 57 has an out of range sh_link value of 2175892253 readelf: Warning: Section 58 has an out of range sh_link value of 2623492457 readelf: Warning: Section 59 has an out of range sh_link value of 1545094920 readelf: Warning: Section 60 has an out of range sh_link value of 1563267508 readelf: Warning: Section 60 has an out of range sh_info value of 3249196638 readelf: Warning: Section 61 has an out of range sh_link value of 69866420 readelf: Warning: Section 61 has an out of range sh_info value of 1424884424 readelf: Warning: Section 62 has an out of range sh_link value of 4250140222 readelf: Warning: Section 62 has an out of range sh_info value of 3131437143 readelf: Warning: Section 63 has an out of range sh_link value of 2109702334 |
readelf for unpacked file: readelf -a 72f1b91327ffda4cf18a2bf64913b673d39ebbff8cbe50c9cd354b1dcd312bcc ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x400194 Start of program headers: 64 (bytes into file) Start of section headers: 75904 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 3 Size of section headers: 64 (bytes) Number of section headers: 15 Section header string table index: 12 |
because the ELF file format doesn't have a dedicated field to indicate the targetted OS, capa uses a number of heuristics to guess at the OS. these don't seem to be sufficient for neither the packed nor unpacked image. the packed image is somewhat broken and there are no good artifacts present. since capa expects to be run against unpacked binaries, im not sure that we'll be able to do anything here. fortunately you can unpack the sample easily: the unpacked image also doesn't match any of the existing heuristics; however, there's a potential new hint: .symtab entries for libc resources related to linux:
we should update our OS detection (here: https://github.com/mandiant/capa/blob/master/capa/features/extractors/elf.py) to use these entries to identify the underlying OS as linux. |
even when the OS is specified manually, we don't get many results. we should spend some time writing rules that match the interesting behavior for this ELF/Linux sample:
|
Thanks for the issue. We've tweaked the OS detection will track rule additions for this in mandiant/capa-rules#736. |
Description
I have an IoT malware sample that targets i386 Linux systems. The sample's hash value is 0a1a8ca1ce27a04bf9618fe0f6bc94e6. I ran the sample through capa, but it gave a false error report. Capa is supposed to support Linux, so I'm wondering why the error occurred.
Steps to Reproduce
Expected behavior:
The file should have a specific capability, such as being packed with UPX.
Actual behavior:
Versions
Additional Information
These are yara rules identify the capabilities of Linux Malware. anti-analysis
The text was updated successfully, but these errors were encountered: