Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
dlr.x86.elf

Overview

General Information

Sample name:dlr.x86.elf
Analysis ID:1663479
MD5:6f421c050ecf9a0dfeb47449457bf5fc
SHA1:da63c2d8f5776a9be3188ce30cd0fb1c0ea4a401
SHA256:24d43c582bf9192d13c1e9f0b0a1d2f2bbbdd9e16c9d1e6cc217ae1e92f64d55
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1663479
Start date and time:2025-04-11 21:17:58 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:dlr.x86.elf
Detection:MAL
Classification:mal60.troj.linELF@0/0@2/0

Runtime Messages

Command:/tmp/dlr.x86.elf
PID:5516
Exit Code:
Exit Code Info:
Killed:True
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • dlr.x86.elf (PID: 5516, Parent: 5434, MD5: 6f421c050ecf9a0dfeb47449457bf5fc) Arguments: /tmp/dlr.x86.elf
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
dlr.x86.elfMirai_1_May17Detects Mirai MalwareFlorian Roth
  • 0x3a3:$s1: GET /bins/mirai.x86 HTTP/1.0

Memory Dumps

SourceRuleDescriptionAuthorStrings
5516.1.0000000008049000.000000000804a000.rw-.sdmpMirai_1_May17Detects Mirai MalwareFlorian Roth
  • 0x3a3:$s1: GET /bins/mirai.x86 HTTP/1.0
5516.1.0000000008048000.0000000008049000.r-x.sdmpMirai_1_May17Detects Mirai MalwareFlorian Roth
  • 0x3a3:$s1: GET /bins/mirai.x86 HTTP/1.0

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: dlr.x86.elfVirustotal: Detection: 28%Perma Link
Source: dlr.x86.elfReversingLabs: Detection: 41%

Networking

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 154.81.179.195 ports 0,1,2,4,8,48102
Source: global trafficTCP traffic: 192.168.2.14:50946 -> 154.81.179.195:48102
Source: global trafficTCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 154.81.179.195
Source: unknownTCP traffic detected without corresponding DNS query: 154.81.179.195
Source: unknownTCP traffic detected without corresponding DNS query: 154.81.179.195
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 154.81.179.195
Source: unknownTCP traffic detected without corresponding DNS query: 154.81.179.195
Source: unknownTCP traffic detected without corresponding DNS query: 154.81.179.195
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: dlr.x86.elf, type: SAMPLEMatched rule: Detects Mirai Malware Author: Florian Roth
Source: 5516.1.0000000008049000.000000000804a000.rw-.sdmp, type: MEMORYMatched rule: Detects Mirai Malware Author: Florian Roth
Source: 5516.1.0000000008048000.0000000008049000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Malware Author: Florian Roth
Source: ELF static info symbol of initial sample.symtab present: no
Source: dlr.x86.elf, type: SAMPLEMatched rule: Mirai_1_May17 date = 2017-05-12, hash3 = a393449a5f19109160384b13d60bb40601af2ef5f08839b5223f020f1f83e990, hash2 = 9ba8def84a0bf14f682b3751b8f7a453da2cea47099734a72859028155b2d39c, author = Florian Roth, description = Detects Mirai Malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 172d050cf0d4e4f5407469998857b51261c80209d9fa5a2f5f037f8ca14e85d2
Source: 5516.1.0000000008049000.000000000804a000.rw-.sdmp, type: MEMORYMatched rule: Mirai_1_May17 date = 2017-05-12, hash3 = a393449a5f19109160384b13d60bb40601af2ef5f08839b5223f020f1f83e990, hash2 = 9ba8def84a0bf14f682b3751b8f7a453da2cea47099734a72859028155b2d39c, author = Florian Roth, description = Detects Mirai Malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 172d050cf0d4e4f5407469998857b51261c80209d9fa5a2f5f037f8ca14e85d2
Source: 5516.1.0000000008048000.0000000008049000.r-x.sdmp, type: MEMORYMatched rule: Mirai_1_May17 date = 2017-05-12, hash3 = a393449a5f19109160384b13d60bb40601af2ef5f08839b5223f020f1f83e990, hash2 = 9ba8def84a0bf14f682b3751b8f7a453da2cea47099734a72859028155b2d39c, author = Florian Roth, description = Detects Mirai Malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 172d050cf0d4e4f5407469998857b51261c80209d9fa5a2f5f037f8ca14e85d2
Source: classification engineClassification label: mal60.troj.linELF@0/0@2/0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dlr.x86.elf29%VirustotalBrowse
dlr.x86.elf42%ReversingLabsLinux.Backdoor.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    185.125.190.26
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse
    154.81.179.195
    		unknownSeychelles
    		35916MULTA-ASN1UStrue

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    185.125.190.26mirai.mpsl.elfGet hashmaliciousMiraiBrowse
      mirai.arm5n.elfGet hashmaliciousMiraiBrowse
        2xvhK6n0L5YrHJ4.ppc.elfGet hashmaliciousMiraiBrowse
          na.elfGet hashmaliciousPrometeiBrowse
            na.elfGet hashmaliciousPrometeiBrowse
              t7h65hoHB2.elfGet hashmaliciousUnknownBrowse
                vision.m68k.elfGet hashmaliciousMiraiBrowse
                  vision.mpsl.elfGet hashmaliciousMiraiBrowse
                    mips.elfGet hashmaliciousAquabotBrowse
                      sshd.elfGet hashmaliciousUnknownBrowse
                        154.81.179.195mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                        • /bins/mirai.mpsl
                        mirai.mips.elfGet hashmaliciousMiraiBrowse
                        • /bins/mirai.mips
                        mirai.arm7.elfGet hashmaliciousMiraiBrowse
                        • /bins/mirai.arm7

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comdlr.ppc.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        dlr.arm.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        mirai.m68k.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        mirai.arm5n.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        mirai.spc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        dlr.m68k.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        mirai.mips.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        dlr.mpsl.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        mirai.m68k.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        mirai.arm.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CANONICAL-ASGBmirai.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 185.125.190.26
                        dlr.spc.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        dlr.arm7.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        mirai.arm5n.elfGet hashmaliciousMiraiBrowse
                        • 185.125.190.26
                        mirai.arm7.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        mirai.mips.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        mirai.sh4.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        dlr.sh4.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        MULTA-ASN1USmirai.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 154.81.179.195
                        dlr.arm7.elfGet hashmaliciousUnknownBrowse
                        • 154.81.179.195
                        dlr.mpsl.elfGet hashmaliciousUnknownBrowse
                        • 154.81.179.195
                        mirai.mips.elfGet hashmaliciousMiraiBrowse
                        • 154.81.179.195
                        mirai.arm7.elfGet hashmaliciousMiraiBrowse
                        • 154.81.179.195
                        dlr.mips.elfGet hashmaliciousUnknownBrowse
                        • 154.81.179.195
                        nabsh4.elfGet hashmaliciousUnknownBrowse
                        • 156.233.244.174
                        m68k.elfGet hashmaliciousMiraiBrowse
                        • 173.82.15.74
                        armv6l.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 156.233.174.198
                        mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 108.166.255.126

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
                        Entropy (8bit):5.536042771060108
                        TrID:
                        • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                        • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                        File name:dlr.x86.elf
                        File size:1'216 bytes
                        MD5:6f421c050ecf9a0dfeb47449457bf5fc
                        SHA1:da63c2d8f5776a9be3188ce30cd0fb1c0ea4a401
                        SHA256:24d43c582bf9192d13c1e9f0b0a1d2f2bbbdd9e16c9d1e6cc217ae1e92f64d55
                        SHA512:3ff47adabafc00f5b56bce42efdf4e9d642d842a90df32903fd566097e1fb715272536a9d17dfbad98d4ab5ce2920098df4fca99d4b760577ca3d63df0574ba9
                        SSDEEP:24:FlSMnq5ZdWomceZGQleZ3eLthD0ZayG9Y9OjUruQmLiTVTNftj:fShZM7coGQlo3eLt50ZpUYsjIHmWZTNJ
                        TLSH:0221EF52E1D9EC32CB2700FFA285AF4B23948E957517FF07DAA14502DC29AD5D523274
                        File Content Preview:.ELF....................$...4...........4. ...(.....................................................................Q.td............................U....U...E...M...........E....].........................................U......u.j..D........U......u.j../.

                        Static ELF Info

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:Intel 80386
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - System V
                        ABI Version:0
                        Entry Point Address:0x8048324
                        Flags:0x0
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:3
                        Section Header Offset:1016
                        Section Header Size:40
                        Number of Section Headers:5
                        Header String Table Index:4

                        Sections

                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                        NULL0x00x00x00x00x0000
                        .textPROGBITS0x80480940x940x2e90x00x6AX004
                        .rodataPROGBITS0x804837d0x37d0x5a0x10x32AMS001
                        .bssNOBITS0x80493d80x3d80x40x00x3WA004
                        .shstrtabSTRTAB0x00x3d80x1e0x00x0001

                        Program Segments

                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x80480000x80480000x3d70x3d75.96950x5R E0x1000.text .rodata
                        LOAD0x3d80x80493d80x80493d80x00x40.00000x6RW 0x1000.bss
                        GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 11, 2025 21:18:57.450253963 CEST5094648102192.168.2.14154.81.179.195
                        Apr 11, 2025 21:18:58.457806110 CEST5094648102192.168.2.14154.81.179.195
                        Apr 11, 2025 21:19:00.473828077 CEST5094648102192.168.2.14154.81.179.195
                        Apr 11, 2025 21:19:03.705851078 CEST46540443192.168.2.14185.125.190.26
                        Apr 11, 2025 21:19:04.729557037 CEST5094648102192.168.2.14154.81.179.195
                        Apr 11, 2025 21:19:12.921298027 CEST5094648102192.168.2.14154.81.179.195
                        Apr 11, 2025 21:19:29.048711061 CEST5094648102192.168.2.14154.81.179.195
                        Apr 11, 2025 21:19:33.656310081 CEST46540443192.168.2.14185.125.190.26

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 11, 2025 21:21:39.108429909 CEST5604353192.168.2.141.1.1.1
                        Apr 11, 2025 21:21:39.108429909 CEST5652053192.168.2.141.1.1.1
                        Apr 11, 2025 21:21:39.215478897 CEST53565201.1.1.1192.168.2.14
                        Apr 11, 2025 21:21:39.242847919 CEST53560431.1.1.1192.168.2.14

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Apr 11, 2025 21:21:39.108429909 CEST192.168.2.141.1.1.10xa753Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Apr 11, 2025 21:21:39.108429909 CEST192.168.2.141.1.1.10x8e2eStandard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Apr 11, 2025 21:21:39.242847919 CEST1.1.1.1192.168.2.140xa753No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                        Apr 11, 2025 21:21:39.242847919 CEST1.1.1.1192.168.2.140xa753No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):19:18:56
                        Start date (UTC):11/04/2025
                        Path:/tmp/dlr.x86.elf
                        Arguments:/tmp/dlr.x86.elf
                        File size:1216 bytes
                        MD5 hash:6f421c050ecf9a0dfeb47449457bf5fc

                        Chronological Activities