Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf
Analysis ID:829689
MD5:0d7a0d32ecf0446189e05b0d96de705b
SHA1:d060eae88a98939b04e0d39be16c072e66916018
SHA256:9da726d31cfeceac5e5e360f14a4d1b823b97c620ebc62dbfcfa0750930e0d76
Tags:elf
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
ELF contains segments with high entropy indicating compressed/encrypted content

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
Exit code information suggests that the sample terminated abnormally, try to lookup the sample's target architecture.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:37.0.0 Beryl
Analysis ID:829689
Start date and time:2023-03-18 21:31:06 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 59s
Hypervisor based Inspection enabled:false
Report type:light
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample file name:SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf
Detection:MAL
Classification:mal56.linELF@0/0@0/0
Command:/tmp/SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf
PID:6223
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elfLinux_Packer_Patched_UPX_62e11c64unknownunknown
  • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
SourceRuleDescriptionAuthorStrings
6223.1.00007f2e70400000.00007f2e70421000.r-x.sdmpLinux_Packer_Patched_UPX_62e11c64unknownunknown
  • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elfVirustotal: Detection: 11%Perma Link
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42

System Summary

barindex
Source: SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Source: 6223.1.00007f2e70400000.00007f2e70421000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Source: LOAD without section mappingsProgram segment: 0x400000
Source: SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: 6223.1.00007f2e70400000.00007f2e70421000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: classification engineClassification label: mal56.linELF@0/0@0/0
Source: SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elfSubmission file: segment LOAD with 7.7232 entropy (max. 8.0)
Source: /tmp/SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf (PID: 6223)Queries kernel information via 'uname':
Source: SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf, 6223.1.00005558c904d000.00005558c90d4000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf, 6223.1.00007ffdc0635000.00007ffdc0656000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf, 6223.1.00007ffdc0635000.00007ffdc0656000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf
Source: SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf, 6223.1.00005558c904d000.00005558c90d4000.rw-.sdmpBinary or memory string: XU!/etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf, 6223.1.00007ffdc0635000.00007ffdc0656000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
No configs have been found
SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf5%ReversingLabs
SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf12%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
No context
No context
No context
No context
No context
No created / dropped files found
File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):7.723190077963099
TrID:
  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf
File size:10136
MD5:0d7a0d32ecf0446189e05b0d96de705b
SHA1:d060eae88a98939b04e0d39be16c072e66916018
SHA256:9da726d31cfeceac5e5e360f14a4d1b823b97c620ebc62dbfcfa0750930e0d76
SHA512:18837fab1e71522781decb6b90f55fa3046afb6df7c44abcbea99e1e0fa3dea1718baf4da6910f1f3de1ef5c2ea9b1561a441b057c166f8c7d375075c1f366d5
SSDEEP:192:0JUo2TjiSlZwhEeoCg+8J/3s0IreBf1fp66NllOiaLpxmoJPvbvvABsAO:0Fin4W7Cg+A7DfnflQuAcBsAO
TLSH:9222D09EEDE39F74DA715AB28B4B0E707CFF9B14ED1C5579D88434488B6A805501A38C
File Content Preview:.ELF.....................A.h...4.........4. ...(.............@...@...........................C...C...................*.*UPX!.X.....................\....|.$..ELF..........@.`....4..^h... ...(......<...@......ll.....H.W.`.t.d....dt.Q.....].M............6...

ELF header

Class:
Data:
Version:
Machine:
Version Number:
Type:
OS/ABI:
ABI Version:
Entry Point Address:
Flags:
ELF Header Size:
Program Header Offset:
Program Header Size:
Number of Program Headers:
Section Header Offset:
Section Header Size:
Number of Section Headers:
Header String Table Index:
TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x4000000x4000000x205b20x205b27.72320x5R E0x10000
LOAD0x00x4300000x4300000x00x8ac180.00000x6RW 0x10000
TimestampSource PortDest PortSource IPDest IP
Mar 18, 2023 21:31:53.128110886 CET42836443192.168.2.2391.189.91.43
Mar 18, 2023 21:31:53.896028996 CET4251680192.168.2.23109.202.202.202
Mar 18, 2023 21:32:08.231363058 CET43928443192.168.2.2391.189.91.42
Mar 18, 2023 21:32:20.518749952 CET42836443192.168.2.2391.189.91.43
Mar 18, 2023 21:32:24.614547014 CET4251680192.168.2.23109.202.202.202
Mar 18, 2023 21:32:49.189223051 CET43928443192.168.2.2391.189.91.42

System Behavior

Start time:21:31:49
Start date:18/03/2023
Path:/tmp/SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf
Arguments:/tmp/SecuriteInfo.com.Trojan.Linux.Dakkatoni.16651.26568.elf
File size:5777432 bytes
MD5 hash:0083f1f0e77be34ad27f849842bbb00c