Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
h9UrfXfX6V

Overview

General Information

Sample name:h9UrfXfX6V
renamed because original name is a hash value
Original sample name:55ab7aa2ceadb3d30784123f2d534fdf
Analysis ID:1431426
MD5:55ab7aa2ceadb3d30784123f2d534fdf
SHA1:9ee7550820cf2b979387f545337a85e51e50a853
SHA256:50ea64265c5bff72a5e5aa49dc6b27ada334666cde1807f30b5ec131e6bfcf3c
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:56
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample has stripped symbol table

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431426
Start date and time:2024-04-25 04:57:46 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Sample name:h9UrfXfX6V
renamed because original name is a hash value
Original Sample Name:55ab7aa2ceadb3d30784123f2d534fdf
Detection:MAL
Classification:mal56.lin@0/0@0/0

Errors

  • No process behavior to analyse as no analysis process or sample was found

Warnings

  • Connection to analysis system has been lost, crash info: Unknown

Yara Signatures

No yara matches

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: h9UrfXfX6VAvira: detected
Multi AV Scanner detection for submitted file
Source: h9UrfXfX6VReversingLabs: Detection: 53%
Source: h9UrfXfX6VVirustotal: Detection: 51%Perma Link
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal56.lin@0/0@0/0
Source: h9UrfXfX6VSubmission file: segment LOAD with 7.1174 entropy (max. 8.0)

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
h9UrfXfX6V54%ReversingLabsLinux.Trojan.Ngioweb
h9UrfXfX6V52%VirustotalBrowse
h9UrfXfX6V100%AviraLINUX/Agent.lsswq

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit LSB pie executable, ARM, EABI5 version 1 (SYSV), static-pie linked, stripped
Entropy (8bit):6.916393574464341
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:h9UrfXfX6V
File size:79'772 bytes
MD5:55ab7aa2ceadb3d30784123f2d534fdf
SHA1:9ee7550820cf2b979387f545337a85e51e50a853
SHA256:50ea64265c5bff72a5e5aa49dc6b27ada334666cde1807f30b5ec131e6bfcf3c
SHA512:70dfcbf8a4a0f9b7bc8454ea8da2027d4ab020bc5bfac18bd2cbdde8f42e348a9463b14ee8a529026908ba6e96476df1f3f99351d286165d2b268e125aabd285
SSDEEP:1536:e3+IYXCJDHFMFjEPL75tQ6h4e2+K/ZKTishko14nTJuP:w+HXs51tQe4PUT
TLSH:C473C07EB3A59E8FD9A1DB3D3B1454854C14FD3FFAEECB0AA511A43E96393240E20254
File Content Preview:.ELF..............(.....=...4...T4......4. ...(........px...x...x.......................................................8/..8/..8/..4...................@/..@/..@/..................Q.td............................R.td8/..8/..8/.............................

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:ARM
Version Number:0x1
Type:DYN (Shared object file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x43d
Flags:0x5000200
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:6
Section Header Offset:78932
Section Header Size:40
Number of Section Headers:21
Header String Table Index:20

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.hashHASH0xf40xf40x180x40x2A304
.gnu.hashGNU_HASH0x10c0x10c0x180x40x2A304
.dynsymDYNSYM0x1240x1240x300x100x2A434
.dynstrSTRTAB0x1540x1540x10x00x2A001
.rel.dynREL0x1580x1580x2580x80x2A304
.initPROGBITS0x3b00x3b00x80x00x6AX002
.textPROGBITS0x3b80x3b80x119580x00x6AX004
.finiPROGBITS0x11d100x11d100x80x00x6AX002
.rodataPROGBITS0x11d180x11d180x2600x00x2A004
.ARM.exidxARM_EXIDX0x11f780x11f780x80x00x82AL704
.eh_framePROGBITS0x11f800x11f800x40x00x2A004
.init_arrayINIT_ARRAY0x22f380x12f380x40x40x3WA004
.fini_arrayFINI_ARRAY0x22f3c0x12f3c0x40x40x3WA004
.dynamicDYNAMIC0x22f400x12f400xc00x80x3WA404
.gotPROGBITS0x230000x130000x13c0x40x3WA004
.dataPROGBITS0x2313c0x1313c0x2300x00x3WA004
.bssNOBITS0x233700x1336c0x3500x00x3WA008
.commentPROGBITS0x00x1336c0x110x10x30MS001
.ARM.attributesARM_ATTRIBUTES0x00x1337d0x2d0x00x0001
.shstrtabSTRTAB0x00x133aa0xa70x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
EXIDX0x11f780x11f780x11f780x80x82.40560x4R 0x4.ARM.exidx
LOAD0x00x00x00x11f840x11f847.11740x5R E0x10000.hash .gnu.hash .dynsym .dynstr .rel.dyn .init .text .fini .rodata .ARM.exidx .eh_frame
LOAD0x12f380x22f380x22f380x4340x7886.31170x6RW 0x10000.init_array .fini_array .dynamic .got .data .bss
DYNAMIC0x12f400x22f400x22f400xc00xc02.33100x6RW 0x4.dynamic
GNU_STACK0x00x00x00x00x00.00000x6RW 0x10
GNU_RELRO0x12f380x22f380x22f380xc80xc82.40930x4R 0x1.init_array .fini_array .dynamic

Dynamic Tags

TypeMetaValueTag
DT_SYMBOLICvalue0x00x10
DT_INITvalue0x3b10xc
DT_FINIvalue0x11d110xd
DT_INIT_ARRAYvalue0x22f380x19
DT_INIT_ARRAYSZbytes40x1b
DT_FINI_ARRAYvalue0x22f3c0x1a
DT_FINI_ARRAYSZbytes40x1c
DT_HASHvalue0xf40x4
DT_GNU_HASHvalue0x10c0x6ffffef5
DT_STRTABvalue0x1540x5
DT_SYMTABvalue0x1240x6
DT_STRSZbytes10xa
DT_SYMENTbytes160xb
DT_DEBUGvalue0x00x15
DT_RELvalue0x1580x11
DT_RELSZbytes6000x12
DT_RELENTbytes80x13
DT_FLAGS_1value0x80000000x6ffffffb
DT_RELCOUNTvalue750x6ffffffa
DT_NULLvalue0x00x0

Symbols

NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
.dynsym0x3b00SECTION<unknown>DEFAULT6
.dynsym0x2313c0SECTION<unknown>DEFAULT16

Network Behavior

No network behavior found

System Behavior