Edit tour

Linux Analysis Report
M74QLI3COX.elf

Overview

General Information

Sample name:	M74QLI3COX.elf renamed because original name is a hash value
Original sample name:	16f920f318bc3fe46bf66d063153d2ef.elf
Analysis ID:	1436495
MD5:	16f920f318bc3fe46bf66d063153d2ef
SHA1:	0d0af14367b108967a9ad93e182b437c1565d4bf
SHA256:	4da76cd7ebfd5412d4681e2f25fcf187863fd15ecc0f952171c841b1290b64b1
Tags:	elfmips
Infos:

Detection

Kaiji

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Kaiji

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436495
Start date and time:	2024-05-05 16:43:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	M74QLI3COX.elf renamed because original name is a hash value
Original Sample Name:	16f920f318bc3fe46bf66d063153d2ef.elf
Detection:	MAL
Classification:	mal56.troj.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/M74QLI3COX.elf
PID:	5509
Exit Code:	2
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	fatal error: sigaction failed runtime stack: runtime.throw({0x16f218, 0x10}) C:/Program Files/Go/src/runtime/panic.go:1047 +0x58 fp=0x4000800b38 sp=0x4000800b10 pc=0x54da8 runtime.sysSigaction.func1() C:/Program Files/Go/src/runtime/os_linux.go:542 +0x50 fp=0x4000800b50 sp=0x4000800b38 pc=0x8ef40 runtime.sysSigaction(0x41, 0x4000800bc0, 0x0) C:/Program Files/Go/src/runtime/os_linux.go:541 +0x8c fp=0x4000800b80 sp=0x4000800b50 pc=0x512fc runtime.sigaction(0x41, 0x4000800bc0, 0x0) C:/Program Files/Go/src/runtime/sigaction.go:15 +0x2c fp=0x4000800ba0 sp=0x4000800b80 pc=0x714e4 runtime.setsig(0x41, 0x73300) C:/Program Files/Go/src/runtime/os_linux.go:489 +0xb4 fp=0x4000800be8 sp=0x4000800ba0 pc=0x511bc runtime.initsig(0x0) C:/Program Files/Go/src/runtime/signal_unix.go:148 +0x34c fp=0x4000800c50 sp=0x4000800be8 pc=0x7280c runtime.mstartm0() C:/Program Files/Go/src/runtime/proc.go:1522 +0x7c fp=0x4000800c60 sp=0x4000800c50 pc=0x5c67c runtime.mstart1() C:/Program Files/Go/src/runtime/proc.go:1494 +0x98 fp=0x4000800c80 sp=0x4000800c60 pc=0x5c558 runtime.mstart0() C:/Program Files/Go/src/runtime/proc.go:1455 +0x78 fp=0x4000800ca8 sp=0x4000800c80 pc=0x5c498 runtime.mstart() C:/Program Files/Go/src/runtime/asm_mips64x.s:88 +0x14 fp=0x4000800cb0 sp=0x4000800ca8 pc=0x9319c goroutine 1 [runnable]: runtime.main() C:/Program Files/Go/src/runtime/proc.go:145 fp=0xc00002e7d8 sp=0xc00002e7d8 pc=0x583f8 runtime.goexit() C:/Program Files/Go/src/runtime/asm_mips64x.s:624 +0x4 fp=0xc00002e7d8 sp=0xc00002e7d8 pc=0x9566c

Process Tree

system is lnxubuntu20

M74QLI3COX.elf (PID: 5509, Parent: 5435, MD5: bba92fd1c51079d6ff2478396026936a) Arguments: /tmp/M74QLI3COX.elf

dash New Fork (PID: 5513, Parent: 3671)

rm (PID: 5513, Parent: 3671, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.fZhFj81utJ /tmp/tmp.5BuHKRtIt9 /tmp/tmp.iMWgMwkDqB

dash New Fork (PID: 5514, Parent: 3671)

cat (PID: 5514, Parent: 3671, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.fZhFj81utJ

dash New Fork (PID: 5515, Parent: 3671)

head (PID: 5515, Parent: 3671, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5516, Parent: 3671)

tr (PID: 5516, Parent: 3671, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5517, Parent: 3671)

cut (PID: 5517, Parent: 3671, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5518, Parent: 3671)

cat (PID: 5518, Parent: 3671, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.fZhFj81utJ

dash New Fork (PID: 5519, Parent: 3671)

head (PID: 5519, Parent: 3671, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5520, Parent: 3671)

tr (PID: 5520, Parent: 3671, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5521, Parent: 3671)

cut (PID: 5521, Parent: 3671, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5522, Parent: 3671)

rm (PID: 5522, Parent: 3671, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.fZhFj81utJ /tmp/tmp.5BuHKRtIt9 /tmp/tmp.iMWgMwkDqB

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Kaiji	Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.	No Attribution	https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/ https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/ https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775	https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
M74QLI3COX.elf	JoeSecurity_Kaiji_1	Yara detected Kaiji	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: M74QLI3COX.elf	ReversingLabs: Detection: 18%
Source: M74QLI3COX.elf	Virustotal: Detection: 12%			Perma Link

Source: unknown

HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.15:49566 version: TLS 1.2

Source: unknown	Network traffic detected: HTTP traffic on port 49566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49566

Source: unknown

HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.15:49566 version: TLS 1.2

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.linELF@0/0@0/0

Source: ELF file section

Submission: M74QLI3COX.elf

Source: /usr/bin/dash (PID: 5513)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fZhFj81utJ /tmp/tmp.5BuHKRtIt9 /tmp/tmp.iMWgMwkDqB			Jump to behavior
Source: /usr/bin/dash (PID: 5522)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.fZhFj81utJ /tmp/tmp.5BuHKRtIt9 /tmp/tmp.iMWgMwkDqB			Jump to behavior

Source: /tmp/M74QLI3COX.elf (PID: 5509)

Queries kernel information via 'uname':

Jump to behavior

Source: M74QLI3COX.elf, 5509.1.00007ffe5854e000.00007ffe5856f000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips64el
Source: M74QLI3COX.elf, 5509.1.0000556a496ab000.0000556a49a27000.rw-.sdmp	Binary or memory string: ?nIjU1MIPS64R2-generic-mips64-cpu1/etc/qemu-binfmt/mips64elu
Source: M74QLI3COX.elf, 5509.1.0000556a496ab000.0000556a49a27000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips64el
Source: M74QLI3COX.elf, 5509.1.00007ffe5854e000.00007ffe5856f000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips64el/tmp/M74QLI3COX.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/M74QLI3COX.elf

Stealing of Sensitive Information

Yara detected Kaiji

Source: Yara match

File source: M74QLI3COX.elf, type: SAMPLE

Remote Access Functionality

Yara detected Kaiji

Source: Yara match

File source: M74QLI3COX.elf, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
M74QLI3COX.elf	18%	ReversingLabs	Linux.Trojan.Ares
M74QLI3COX.elf	13%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.217.10.153	unknown	United States		16509	AMAZON-02US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
54.217.10.153	SecuriteInfo.com.Trojan.Linux.GenericKD.28945.18513.11319.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Mirai.8362.28225.8588.elf	Get hash	malicious	Mirai	Browse
	3l23Ly4zK0.elf	Get hash	malicious	Mirai	Browse
	8ce5xGv7Rl.elf	Get hash	malicious	Mirai	Browse
	9EYzS8C2Sn.elf	Get hash	malicious	Mirai, Okiru	Browse
	jDrEk4Z8cP.elf	Get hash	malicious	Unknown	Browse
	7AviWAaJMa.elf	Get hash	malicious	Mirai	Browse
	bulus.arm7-20240430-1916.elf	Get hash	malicious	Mirai, Moobot, Okiru	Browse
	sora.arm5.elf	Get hash	malicious	Mirai	Browse
	PBh6YIFgSF.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	hdqqxiAaUa.elf	Get hash	malicious	Mirai	Browse	54.119.116.90
	JQf0ehYRnW.elf	Get hash	malicious	Mirai	Browse	18.136.8.182
	v6KtBJBvIM.elf	Get hash	malicious	Mirai	Browse	13.224.91.140
	IQU2qqn8AZ.elf	Get hash	malicious	Mirai	Browse	13.113.240.116
	JCS9ADM3XR.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	wlFJIK0tXZ.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	77a9MuTMle.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	AzlcQuUN0k.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	wQT6LP2bum.elf	Get hash	malicious	Mirai	Browse	34.243.160.129
	9zU9mg84VT.elf	Get hash	malicious	Unknown	Browse	34.249.145.219

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, MIPS, MIPS-III version 1 (SYSV), statically linked, Go BuildID=tIdheouc6LQYM4AxlF6J/RIpVyx97yR-Cy8tknSUC/sxGYsJYcW-ER3FYcJGL_/lD73K25NKDaKC7JiK502, stripped
Entropy (8bit):	5.180745308751407
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	M74QLI3COX.elf
File size:	2'359'296 bytes
MD5:	16f920f318bc3fe46bf66d063153d2ef
SHA1:	0d0af14367b108967a9ad93e182b437c1565d4bf
SHA256:	4da76cd7ebfd5412d4681e2f25fcf187863fd15ecc0f952171c841b1290b64b1
SHA512:	cdd7c9d95e69e7a1a218c70c3b273e639ebb427ef40a723cbc6e1fc46bb94207e0046110368d12eadd2881cc1093d8996842ac177aeaf5cdd3313ed182fbcb53
SSDEEP:	24576:KFUgWKX5sgIqJCDhtcgZDBpjzxlVXw8RuMFLGk+Ton7TF0z1v:bKX5R7MDAyxzuM9Gk+27TF0z1
TLSH:	B7B5E80ABDC16F76C59C037586EE265A23513E495B91032327A4F7B83A7733CAF5B488
File Content Preview:	.ELF....................8h......@.................. @.8...@.............@.......@.......@...............................................................d.......d..............................................................................................

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x96838
Flags:	0x20000004
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	7
Section Header Offset:	456
Section Header Size:	64
Number of Section Headers:	14
Header String Table Index:	3

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.text	PROGBITS	0x11000	0x1000	0x12a4d0	0x0	0x6	AX	8
.rodata	PROGBITS	0x140000	0x130000	0x593f1	0x0	0x2	A	32
.shstrtab	STRTAB	0x0	0x189400	0x98	0x0	0x0		1
.typelink	PROGBITS	0x1994a0	0x1894a0	0x8d4	0x0	0x2	A	32
.itablink	PROGBITS	0x199d80	0x189d80	0x240	0x0	0x2	A	32
.gosymtab	PROGBITS	0x199fc0	0x189fc0	0x0	0x0	0x2	A	1
.gopclntab	PROGBITS	0x199fc0	0x189fc0	0x8d000	0x0	0x2	A	32
.go.buildinfo	PROGBITS	0x230000	0x220000	0x100	0x0	0x3	WA	16
.noptrdata	PROGBITS	0x230100	0x220100	0x11dcc	0x0	0x3	WA	32
.data	PROGBITS	0x241ee0	0x231ee0	0xc400	0x0	0x3	WA	32
.bss	NOBITS	0x24e2e0	0x23e2e0	0x2c680	0x0	0x3	WA	32
.noptrbss	NOBITS	0x27a960	0x26a960	0x4430	0x0	0x3	WA	32
.note.go.buildid	NOTE	0x10f9c	0xf9c	0x64	0x0	0x2	A	4

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
PHDR	0x40	0x10040	0x10040	0x188	0x188	1.4962	0x4	R	0x10000
NOTE	0xf9c	0x10f9c	0x10f9c	0x64	0x64	5.2933	0x4	R	0x4	.note.go.buildid
LOAD	0x0	0x10000	0x10000	0x12b4d0	0x12b4d0	5.0373	0x5	R E	0x10000	.text .note.go.buildid
LOAD	0x130000	0x140000	0x140000	0xe6fc0	0xe6fc0	5.2823	0x4	R	0x10000	.rodata .typelink .itablink .gosymtab .gopclntab
LOAD	0x220000	0x230000	0x230000	0x1e2e0	0x4ed90	3.9400	0x6	RW	0x10000	.go.buildinfo .noptrdata .data .bss .noptrbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8
LOOS+5041580	0x0	0x0	0x0	0x0	0x0	0.0000	0x2a00		0x8

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 5, 2024 16:43:53.081012964 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.081027031 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.081036091 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.081046104 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.081056118 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.081059933 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.081065893 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.081094027 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.081094027 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.081094027 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.081094027 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.081094027 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.081813097 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.271338940 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.299829006 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.299880028 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.299943924 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.503626108 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.503638029 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.503693104 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.503693104 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.504503012 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.701574087 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.701591969 CEST	443	49566	54.217.10.153	192.168.2.15
May 5, 2024 16:43:53.701734066 CEST	49566	443	192.168.2.15	54.217.10.153
May 5, 2024 16:43:53.701850891 CEST	49566	443	192.168.2.15	54.217.10.153

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 5, 2024 16:43:53.081065893 CEST	54.217.10.153	443	192.168.2.15	49566	CN=motd.ubuntu.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	Thu Mar 07 10:27:55 CET 2024 Fri Sep 04 02:00:00 CEST 2020	Wed Jun 05 11:27:54 CEST 2024 Mon Sep 15 18:00:00 CEST 2025
May 5, 2024 16:43:53.081065893 CEST	54.217.10.153	443	192.168.2.15	49566	CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025

System Behavior

Analysis Process: M74QLI3COX.elf PID: 5509, Parent PID: 5435

General

Start time (UTC):	14:43:49
Start date (UTC):	05/05/2024
Path:	/tmp/M74QLI3COX.elf
Arguments:	/tmp/M74QLI3COX.elf
File size:	5822264 bytes
MD5 hash:	bba92fd1c51079d6ff2478396026936a

Chronological Activities

Analysis Process: dash PID: 5513, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5513, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.fZhFj81utJ /tmp/tmp.5BuHKRtIt9 /tmp/tmp.iMWgMwkDqB
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5514, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5514, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.fZhFj81utJ
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 5515, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 5515, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 5516, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 5516, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 5517, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 5517, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 5518, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5518, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.fZhFj81utJ
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 5519, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 5519, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 5520, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 5520, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 5521, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 5521, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 5522, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5522, Parent PID: 3671

General

Start time (UTC):	14:43:52
Start date (UTC):	05/05/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.fZhFj81utJ /tmp/tmp.5BuHKRtIt9 /tmp/tmp.iMWgMwkDqB
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report M74QLI3COX.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTPS Connections

System Behavior

Analysis Process: M74QLI3COX.elf PID: 5509, Parent PID: 5435

General

Chronological Activities

Analysis Process: dash PID: 5513, Parent PID: 3671

General

Chronological Activities

Analysis Process: rm PID: 5513, Parent PID: 3671

General

Chronological Activities

Analysis Process: dash PID: 5514, Parent PID: 3671

General

Chronological Activities

Analysis Process: cat PID: 5514, Parent PID: 3671

General

Chronological Activities

Analysis Process: dash PID: 5515, Parent PID: 3671

General

Chronological Activities

Linux Analysis Report
M74QLI3COX.elf