Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
r5sPBYZoeg.elf

Overview

General Information

Sample Name:r5sPBYZoeg.elf
Original Sample Name:4ed5c7939fdaa8ca9cfc6cd0dfe762bb68b58adb434f98c1a28aae53c3b96b00.elf
Analysis ID:1303707
MD5:cb42acc26fc460bf02b00f38ca4b430b
SHA1:6ed3326e64cabf5cba4c04da4aafcc4e86b07754
SHA256:4ed5c7939fdaa8ca9cfc6cd0dfe762bb68b58adb434f98c1a28aae53c3b96b00
Tags:elf
Infos:

Detection

ConnectBack
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Yara detected ConnectBack
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sample contains only a LOAD segment without any section mappings

Classification

General Information

Joe Sandbox Version:38.0.0 Beryl
Analysis ID:1303707
Start date and time:2023-09-05 18:27:50 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample file name:r5sPBYZoeg.elf
Original Sample Name:4ed5c7939fdaa8ca9cfc6cd0dfe762bb68b58adb434f98c1a28aae53c3b96b00.elf
Detection:MAL
Classification:mal72.troj.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: r5sPBYZoeg.elf

Runtime Messages

Command:/tmp/r5sPBYZoeg.elf
PID:5544
Exit Code:
Exit Code Info:
Killed:True
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • r5sPBYZoeg.elf (PID: 5544, Parent: 5444, MD5: cb42acc26fc460bf02b00f38ca4b430b) Arguments: /tmp/r5sPBYZoeg.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
ConnectBackConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim's device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.connectback

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5544.1.0000000000400000.0000000000401000.rwx.sdmpJoeSecurity_ConnectBackYara detected ConnectBackJoe Security

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: r5sPBYZoeg.elfAvira: detected
    Found malware configuration
    Source: 5544.1.0000000000400000.0000000000401000.rwx.sdmpMalware Configuration Extractor: ConnectBack {"C2": "10.5.31.54:4445"}
    Multi AV Scanner detection for submitted file
    Source: r5sPBYZoeg.elfReversingLabs: Detection: 47%
    Source: unknownDNS traffic detected: queries for: daisy.ubuntu.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: LOAD without section mappingsProgram segment: 0x400000
    Source: classification engineClassification label: mal72.troj.linELF@0/0@2/0

    Stealing of Sensitive Information

    barindex
    Yara detected ConnectBack
    Source: Yara matchFile source: 5544.1.0000000000400000.0000000000401000.rwx.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Yara detected ConnectBack
    Source: Yara matchFile source: 5544.1.0000000000400000.0000000000401000.rwx.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network Medium1
    Non-Application Layer Protocol    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Malware Configuration

    Threatname: ConnectBack

    {"C2": "10.5.31.54:4445"}

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    r5sPBYZoeg.elf47%ReversingLabsLinux.Trojan.AgentSig
    r5sPBYZoeg.elf100%AviraLINUX/AgentSig.GV

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    daisy.ubuntu.com
    		185.125.188.136
    		truefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      daisy.ubuntu.com5w1ZVkWZr0.elfGet hashmaliciousConnectBackBrowse
      • 185.125.188.137
      uY8I5tsPyE.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.136
      aTW6NBHzrR.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      S0wBQZF3m0.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      2UrIdiFYkk.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      kVJm6vAtbZ.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      jDSxdSv24i.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      sora.x86.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      sora.arm7.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      1YAUVrxaRE.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.136
      VDLHJ2DiAp.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      oVj60bn37Z.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.137
      k6u3UrfMBu.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.136
      IJB2Ub1KkE.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      KLKoNDE2QG.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      YG6BL264MC.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.136
      SecuriteInfo.com.Linux.Siggen.9999.22201.31614.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      SecuriteInfo.com.Linux.Siggen.9999.13852.30731.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      6dQ4EzBG7Z.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      0PNv3OHIDT.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context