Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
9ciLh6edh3.elf

Overview

General Information

Sample name:9ciLh6edh3.elf
renamed because original name is a hash value
Original sample name:d17a46e5e841c48a26f939a5fb157b78.elf
Analysis ID:1430193
MD5:d17a46e5e841c48a26f939a5fb157b78
SHA1:98d779e91b211114c9b23d106564b22826e1bfd0
SHA256:9e4f2aa60c13a24ea4362fd2ff06f9886c9265b51afdea1c3a91d44a03856d9b
Tags:32armelfgafgyt
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
Exit code information suggests that the sample terminated abnormally, try to lookup the sample's target architecture.
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1430193
Start date and time:2024-04-23 09:35:15 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:9ciLh6edh3.elf
renamed because original name is a hash value
Original Sample Name:d17a46e5e841c48a26f939a5fb157b78.elf
Detection:MAL
Classification:mal52.evad.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: 9ciLh6edh3.elf

Runtime Messages

Command:/tmp/9ciLh6edh3.elf
PID:5503
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • 9ciLh6edh3.elf (PID: 5503, Parent: 5421, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/9ciLh6edh3.elf
  • cleanup

Yara Signatures

No yara matches

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 9ciLh6edh3.elfReversingLabs: Detection: 28%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownDNS traffic detected: queries for: daisy.ubuntu.com
Source: 9ciLh6edh3.elfString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x8000
Source: classification engineClassification label: mal52.evad.linELF@0/0@2/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
Source: 9ciLh6edh3.elfSubmission file: segment LOAD with 7.967 entropy (max. 8.0)
Source: /tmp/9ciLh6edh3.elf (PID: 5503)Queries kernel information via 'uname': Jump to behavior
Source: 9ciLh6edh3.elf, 5503.1.00007ffe55453000.00007ffe55474000.rw-.sdmpBinary or memory string: )x86_64/usr/bin/qemu-arm/tmp/9ciLh6edh3.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/9ciLh6edh3.elf
Source: 9ciLh6edh3.elf, 5503.1.0000555d9eb7c000.0000555d9ecaa000.rw-.sdmpBinary or memory string: ]U!/etc/qemu-binfmt/arm
Source: 9ciLh6edh3.elf, 5503.1.0000555d9eb7c000.0000555d9ecaa000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: 9ciLh6edh3.elf, 5503.1.00007ffe55453000.00007ffe55474000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: 9ciLh6edh3.elf, 5503.1.00007ffe55453000.00007ffe55474000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
9ciLh6edh3.elf29%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.net9ciLh6edh3.elffalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      daisy.ubuntu.comSecuriteInfo.com.Linux.Siggen.9999.6529.26985.elfGet hashmaliciousMiraiBrowse
      • 162.213.35.25
      SecuriteInfo.com.Linux.DownLoader.523.19080.5007.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25
      SecuriteInfo.com.Linux.DownLoader.532.20148.6112.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      SecuriteInfo.com.Linux.Siggen.9999.10949.15787.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25
      SecuriteInfo.com.Linux.Siggen.9999.22447.5558.elfGet hashmaliciousMiraiBrowse
      • 162.213.35.24
      SecuriteInfo.com.Linux.Siggen.9999.29052.16568.elfGet hashmaliciousMiraiBrowse
      • 162.213.35.25
      SecuriteInfo.com.Linux.DownLoader.517.7938.4881.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25
      x86_64.crdownload.0.drGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      YKLjlQEZKY.elfGet hashmaliciousMiraiBrowse
      • 162.213.35.24
      MztxaAy8yb.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
      Entropy (8bit):7.96516463116012
      TrID:
      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
      File name:9ciLh6edh3.elf
      File size:39'768 bytes
      MD5:d17a46e5e841c48a26f939a5fb157b78
      SHA1:98d779e91b211114c9b23d106564b22826e1bfd0
      SHA256:9e4f2aa60c13a24ea4362fd2ff06f9886c9265b51afdea1c3a91d44a03856d9b
      SHA512:f4ec8941547c0a067d7d4cbfe6baf5c74860a0ede62b5dcec8a14500abe3cc6a26ef96c0b07b2257862c0683c249e1ece0190f7248b348108060bfd830dc455a
      SSDEEP:768:83wtVFVcC13v7Zi52F5bOmO+8UpY765qh3OrmmWJNXCq3UInb:8AtVFVhzoCOmpNaIyFb
      TLSH:4C03E1A0C2006670DEA29C76785F9013A285C6DCE8D7EEB406F711FD19A6C49BCF61B6
      File Content Preview:.ELF..............(.....$...4...........4. ...(.....................'...'...............................L{..........Q.td............................x.?.UPX!.........W...W......T..........?.E.h;....#..$..1)...^.,....K.....E...%.C,...rc.Of"...~ ....?:..m...

      Static ELF Info

      ELF header

      Class:ELF32
      Data:2's complement, little endian
      Version:1 (current)
      Machine:ARM
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - Linux
      ABI Version:0
      Entry Point Address:0x10824
      Flags:0x4000002
      ELF Header Size:52
      Program Header Offset:52
      Program Header Size:32
      Number of Program Headers:3
      Section Header Offset:0
      Section Header Size:40
      Number of Section Headers:0
      Header String Table Index:0

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x80000x80000x9a270x9a277.96700x5R E0x8000
      LOAD0x00x180000x180000x00x17b4c0.00000x6RW 0x8000
      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

      Network Behavior

      Network Port Distribution

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Apr 23, 2024 09:36:07.990715981 CEST5842453192.168.2.141.1.1.1
      Apr 23, 2024 09:36:07.991189957 CEST4800253192.168.2.141.1.1.1
      Apr 23, 2024 09:36:08.096081018 CEST53584241.1.1.1192.168.2.14
      Apr 23, 2024 09:36:08.096118927 CEST53480021.1.1.1192.168.2.14

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Apr 23, 2024 09:36:07.990715981 CEST192.168.2.141.1.1.10xc003Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
      Apr 23, 2024 09:36:07.991189957 CEST192.168.2.141.1.1.10x4f3bStandard query (0)daisy.ubuntu.com28IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Apr 23, 2024 09:36:08.096081018 CEST1.1.1.1192.168.2.140xc003No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
      Apr 23, 2024 09:36:08.096081018 CEST1.1.1.1192.168.2.140xc003No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

      System Behavior

      General

      Start time (UTC):07:36:05
      Start date (UTC):23/04/2024
      Path:/tmp/9ciLh6edh3.elf
      Arguments:/tmp/9ciLh6edh3.elf
      File size:4956856 bytes
      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

      Chronological Activities