Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
8LzAAQOA5F.elf

Overview

General Information

Sample Name:8LzAAQOA5F.elf
Analysis ID:755691
MD5:0654cfa752abc860f437ffd2d47829b0
SHA1:e1b136b7457e5210de12822df56a8e4a276073b5
SHA256:110f671bf87c7f2ff4baa1c4d7a560a98a53c3cf1449e099f00302a8a4cc5b31
Tags:32armelfmirai
Infos:

Detection

Mirai
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
ELF contains segments with high entropy indicating compressed/encrypted content

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
Exit code information suggests that the sample terminated abnormally, try to lookup the sample's target architecture.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:755691
Start date and time:2022-11-29 02:16:05 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 0s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:8LzAAQOA5F.elf
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal68.troj.evad.linELF@0/0@0/0

Runtime Messages

Command:/tmp/8LzAAQOA5F.elf
PID:6222
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • 8LzAAQOA5F.elf (PID: 6222, Parent: 6119, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/8LzAAQOA5F.elf
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
8LzAAQOA5F.elfSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x78e4:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x7953:$s2: $Id: UPX
  • 0x7904:$s3: $Info: This file is packed with the UPX executable packer

Memory Dumps

SourceRuleDescriptionAuthorStrings
6222.1.00007fee30017000.00007fee3002b000.r-x.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
  • 0x12930:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x129a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x12a10:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x12a80:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x12af0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x12d60:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x12db4:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x12e08:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x12e5c:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x12eb0:$xo1: oMXKNNC\x0D\x17\x0C\x12
6222.1.00007fee30017000.00007fee3002b000.r-x.sdmpMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
  • 0x1223c:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6222.1.00007fee30017000.00007fee3002b000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: 8LzAAQOA5F.elfReversingLabs: Detection: 50%
    Source: 8LzAAQOA5F.elfVirustotal: Detection: 44%Perma Link
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 119.139.3.57
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 125.41.80.140
    Source: 8LzAAQOA5F.elfString found in binary or memory: http://upx.sf.net

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 6222.1.00007fee30017000.00007fee3002b000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
    Source: LOAD without section mappingsProgram segment: 0x8000
    Source: 8LzAAQOA5F.elf, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4, reference = Internal Research
    Source: 6222.1.00007fee30017000.00007fee3002b000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
    Source: 6222.1.00007fee30017000.00007fee3002b000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
    Source: classification engineClassification label: mal68.troj.evad.linELF@0/0@0/0

    Data Obfuscation

    barindex
    Sample is packed with UPX
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
    Source: 8LzAAQOA5F.elfSubmission file: segment LOAD with 7.9601 entropy (max. 8.0)
    Source: /tmp/8LzAAQOA5F.elf (PID: 6222)Queries kernel information via 'uname':
    Source: 8LzAAQOA5F.elf, 6222.1.000055cbcab0e000.000055cbcad3c000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
    Source: 8LzAAQOA5F.elf, 6222.1.00007fff03edf000.00007fff03f00000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/8LzAAQOA5F.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/8LzAAQOA5F.elf
    Source: 8LzAAQOA5F.elf, 6222.1.000055cbcab0e000.000055cbcad3c000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
    Source: 8LzAAQOA5F.elf, 6222.1.00007fff03edf000.00007fff03f00000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
    Source: 8LzAAQOA5F.elf, 6222.1.00007fff03edf000.00007fff03f00000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

    Stealing of Sensitive Information

    barindex
    Yara detected Mirai
    Source: Yara matchFile source: 6222.1.00007fee30017000.00007fee3002b000.r-x.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Yara detected Mirai
    Source: Yara matchFile source: 6222.1.00007fee30017000.00007fee3002b000.r-x.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
    Obfuscated Files or Information    		OS Credential Dumping11
    Security Software Discovery    		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    8LzAAQOA5F.elf50%ReversingLabsLinux.Trojan.Mirai
    8LzAAQOA5F.elf44%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.net8LzAAQOA5F.elffalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      119.139.3.57
      		unknownChina
      		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      125.41.80.140
      		unknownChina
      		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      109.202.202.202
      		unknownSwitzerland
      		13030INIT7CHfalse
      91.189.91.43
      		unknownUnited Kingdom
      		41231CANONICAL-ASGBfalse
      91.189.91.42
      		unknownUnited Kingdom
      		41231CANONICAL-ASGBfalse

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
      Entropy (8bit):7.95734341882964
      TrID:
      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
      File name:8LzAAQOA5F.elf
      File size:33028
      MD5:0654cfa752abc860f437ffd2d47829b0
      SHA1:e1b136b7457e5210de12822df56a8e4a276073b5
      SHA256:110f671bf87c7f2ff4baa1c4d7a560a98a53c3cf1449e099f00302a8a4cc5b31
      SHA512:4fba06a4b3a51aa1dcb7673f8821db0d100ae5e674c4f45561d8560681cdcdb7163036b801fef36fba044d197f948b21fe36ed47da59eb1a1a1e6704ef9f7236
      SSDEEP:768:9oiWiO031vpAPbrVWZK3XVGxm9XoF9q3UEL5I5:9orm1vpALgUJLLm
      TLSH:75E2F153D372A492DD782AF1F95D89C72BBD4F6CD17B70A216016B2C2E9A0439B3C843
      File Content Preview:.ELF..............(.........4...........4. ...(..........................................[..........................Q.td............................>. NUPX!.........8...8......T..........?.E.h;....#..$..1)...I<.1x9h.=60$.{5.4.C.$..}.H....<.o.......U...4..

      Static ELF Info

      ELF header

      Class:
      Data:
      Version:
      Machine:
      Version Number:
      Type:
      OS/ABI:
      ABI Version:
      Entry Point Address:
      Flags:
      ELF Header Size:
      Program Header Offset:
      Program Header Size:
      Number of Program Headers:
      Section Header Offset:
      Section Header Size:
      Number of Section Headers:
      Header String Table Index:

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x80000x80000x7fdd0x7fdd7.96010x5R E0x8000
      LOAD0x5b180x2db180x2db180x00x00.00000x6RW 0x8000
      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Nov 29, 2022 02:16:52.179497957 CET42836443192.168.2.2391.189.91.43
      Nov 29, 2022 02:16:52.947679996 CET4251680192.168.2.23109.202.202.202
      Nov 29, 2022 02:17:07.282974958 CET43928443192.168.2.2391.189.91.42
      Nov 29, 2022 02:17:19.570324898 CET42836443192.168.2.2391.189.91.43
      Nov 29, 2022 02:17:23.666085958 CET4251680192.168.2.23109.202.202.202
      Nov 29, 2022 02:17:38.405519009 CET2336324119.139.3.57192.168.2.23
      Nov 29, 2022 02:17:38.405736923 CET3632423192.168.2.23119.139.3.57
      Nov 29, 2022 02:17:48.240734100 CET43928443192.168.2.2391.189.91.42
      Nov 29, 2022 02:18:02.462579012 CET2355366125.41.80.140192.168.2.23
      Nov 29, 2022 02:18:02.462865114 CET5536623192.168.2.23125.41.80.140

      System Behavior

      General

      Start time:02:16:48
      Start date:29/11/2022
      Path:/tmp/8LzAAQOA5F.elf
      Arguments:/tmp/8LzAAQOA5F.elf
      File size:4956856 bytes
      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1