Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
X53Hpyg7Aj.elf

Overview

General Information

Sample name:X53Hpyg7Aj.elf
renamed because original name is a hash value
Original sample name:978cd5ae0c8dcba7257cab900f56f797.elf
Analysis ID:1430997
MD5:978cd5ae0c8dcba7257cab900f56f797
SHA1:1babf5e272870641682f738791dfd7089a33a394
SHA256:dc3845a6da683c46b1efe6bb8fa5f6d745f3de4fb4f2da7c4b4de4ee6529d3ee
Tags:32armelfmirai
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample deletes itself
Found strings indicative of a multi-platform dropper
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1430997
Start date and time:2024-04-24 13:03:35 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:X53Hpyg7Aj.elf
renamed because original name is a hash value
Original Sample Name:978cd5ae0c8dcba7257cab900f56f797.elf
Detection:MAL
Classification:mal52.evad.linELF@0/0@0/0

Warnings

  • Skipping network analysis since amount of network traffic is too extensive

Runtime Messages

Command:/tmp/X53Hpyg7Aj.elf
PID:5510
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
black botnet voodoo
Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Yara Signatures

No yara matches

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: X53Hpyg7Aj.elfVirustotal: Detection: 17%Perma Link
Source: X53Hpyg7Aj.elfReversingLabs: Detection: 15%
Source: X53Hpyg7Aj.elfString: pts/ttysocket:[/proc/net/tcp /proc/%d/exepkillkillkillallechoclearwgetcurlping/pswiresharktcpdumppythonpython3busyboxiptablesrebootinitinit 6nanonvimvimcpmvcdlscatstringstophtopgrepshbashgdb/mapsmkdirHTTPapt./;rungetshutdown&reboot -fshutdown -rrmftpgettftpncforps
Source: /tmp/X53Hpyg7Aj.elf (PID: 5510)Socket: 127.0.0.1::8345Jump to behavior
Source: Initial sampleString containing 'busybox' found: busybox
Source: Initial sampleString containing 'busybox' found: pts/ttysocket:[/proc/net/tcp /proc/%d/exepkillkillkillallechoclearwgetcurlping/pswiresharktcpdumppythonpython3busyboxiptablesrebootinitinit 6nanonvimvimcpmvcdlscatstringstophtopgrepshbashgdb/mapsmkdirHTTPapt./;rungetshutdown&reboot -fshutdown -rrmftpgettftpncforps
Source: ELF static info symbol of initial sample.symtab present: no
Source: /tmp/X53Hpyg7Aj.elf (PID: 5514)SIGKILL sent: pid: 888, result: successfulJump to behavior
Source: classification engineClassification label: mal52.evad.linELF@0/0@0/0
Source: /tmp/X53Hpyg7Aj.elf (PID: 5512)Reads from proc file: /proc/statJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Sample deletes itself
Source: /tmp/X53Hpyg7Aj.elf (PID: 5510)File: /tmp/X53Hpyg7Aj.elfJump to behavior
Source: /tmp/X53Hpyg7Aj.elf (PID: 5510)Queries kernel information via 'uname': Jump to behavior
Source: X53Hpyg7Aj.elf, 5510.1.000055fd2d627000.000055fd2d77c000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: X53Hpyg7Aj.elf, 5510.1.00007ffd06ffc000.00007ffd0701d000.rw-.sdmpBinary or memory string: 2x86_64/usr/bin/qemu-arm/tmp/X53Hpyg7Aj.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/X53Hpyg7Aj.elf
Source: X53Hpyg7Aj.elf, 5510.1.000055fd2d627000.000055fd2d77c000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: X53Hpyg7Aj.elf, 5510.1.00007ffd06ffc000.00007ffd0701d000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		Path Interception1
File Deletion		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430997 Sample: X53Hpyg7Aj.elf Startdate: 24/04/2024 Architecture: LINUX Score: 52 25 Multi AV Scanner detection for submitted file 2->25 8 X53Hpyg7Aj.elf 2->8         started        process3 signatures4 27 Sample deletes itself 8->27 11 X53Hpyg7Aj.elf 8->11         started        process5 process6 13 X53Hpyg7Aj.elf 11->13         started        15 X53Hpyg7Aj.elf 11->15         started        17 X53Hpyg7Aj.elf 11->17         started        19 3 other processes 11->19 process7 21 X53Hpyg7Aj.elf 13->21         started        23 X53Hpyg7Aj.elf 15->23         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
X53Hpyg7Aj.elf18%VirustotalBrowse
X53Hpyg7Aj.elf16%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):5.555304707744671
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:X53Hpyg7Aj.elf
File size:166'092 bytes
MD5:978cd5ae0c8dcba7257cab900f56f797
SHA1:1babf5e272870641682f738791dfd7089a33a394
SHA256:dc3845a6da683c46b1efe6bb8fa5f6d745f3de4fb4f2da7c4b4de4ee6529d3ee
SHA512:4a688e502d39878f6c21fc19626ee19aaf0d61ba99b6949374d09b047c0437b336141e47a25033b0314df94cabd1505276e614875002a55f08daf1e262773755
SSDEEP:3072:H9Ci0IY7ST8pzntgt5O1vQOvUGBv+LzbUFSuA66EkaJfBuUjPTlD:HIi0JcItgvEQbOvESA6SaJ5fTlD
TLSH:74F31A45F9808F56C5D712BBFF4D428D332B1768D3EA720289256F21379B96B0E7B242
File Content Preview:.ELF...a..........(.........4...........4. ...(......................:...:...............@...@...@...F..............Q.td..................................-...L."...............0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:ARM
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:ARM - ABI
ABI Version:0
Entry Point Address:0x8190
Flags:0x202
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:165652
Section Header Size:40
Number of Section Headers:11
Header String Table Index:10

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.initPROGBITS0x80940x940x180x00x6AX004
.textPROGBITS0x80b00xb00x1fe940x00x6AX0016
.finiPROGBITS0x27f440x1ff440x140x00x6AX004
.rodataPROGBITS0x27f580x1ff580x3b880x00x2A004
.ctorsPROGBITS0x340040x240040xc0x00x3WA004
.dtorsPROGBITS0x340100x240100x80x00x3WA004
.dataPROGBITS0x340200x240200x46940x00x3WA0032
.bssNOBITS0x386b40x286b40xd8580x00x3WA004
.ARM.attributesARM_ATTRIBUTES0x00x286b40x100x00x0001
.shstrtabSTRTAB0x00x286c40x4e0x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x80000x80000x23ae00x23ae05.99240x5R E0x8000.init .text .fini .rodata
LOAD0x240040x340040x340040x46b00x11f080.36920x6RW 0x8000.ctors .dtors .data .bss
GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

Network Behavior

Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

System Behavior

General

Start time (UTC):11:04:29
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:/tmp/X53Hpyg7Aj.elf
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities


General

Start time (UTC):11:04:30
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities


General

Start time (UTC):11:04:30
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities


General

Start time (UTC):11:04:30
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities


General

Start time (UTC):11:04:30
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities


General

Start time (UTC):11:04:30
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities


General

Start time (UTC):11:06:18
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities


General

Start time (UTC):11:06:18
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

General

Start time (UTC):11:06:19
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities


General

Start time (UTC):11:06:19
Start date (UTC):24/04/2024
Path:/tmp/X53Hpyg7Aj.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1