Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
r5sPBYZoeg.elf

Overview

General Information

Sample Name:r5sPBYZoeg.elf
Original Sample Name:4ed5c7939fdaa8ca9cfc6cd0dfe762bb68b58adb434f98c1a28aae53c3b96b00.elf
Analysis ID:1303707
MD5:cb42acc26fc460bf02b00f38ca4b430b
SHA1:6ed3326e64cabf5cba4c04da4aafcc4e86b07754
SHA256:4ed5c7939fdaa8ca9cfc6cd0dfe762bb68b58adb434f98c1a28aae53c3b96b00
Tags:elf
Infos:

Detection

ConnectBack
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Yara detected ConnectBack
Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sample contains only a LOAD segment without any section mappings

Classification

General Information

Joe Sandbox Version:38.0.0 Beryl
Analysis ID:1303707
Start date and time:2023-09-05 18:27:50 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample file name:r5sPBYZoeg.elf
Original Sample Name:4ed5c7939fdaa8ca9cfc6cd0dfe762bb68b58adb434f98c1a28aae53c3b96b00.elf
Detection:MAL
Classification:mal72.troj.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: r5sPBYZoeg.elf

Runtime Messages

Command:/tmp/r5sPBYZoeg.elf
PID:5544
Exit Code:
Exit Code Info:
Killed:True
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • r5sPBYZoeg.elf (PID: 5544, Parent: 5444, MD5: cb42acc26fc460bf02b00f38ca4b430b) Arguments: /tmp/r5sPBYZoeg.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
ConnectBackConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim's device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.connectback

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5544.1.0000000000400000.0000000000401000.rwx.sdmpJoeSecurity_ConnectBackYara detected ConnectBackJoe Security

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: r5sPBYZoeg.elfAvira: detected
    Found malware configuration
    Source: 5544.1.0000000000400000.0000000000401000.rwx.sdmpMalware Configuration Extractor: ConnectBack {"C2": "10.5.31.54:4445"}
    Multi AV Scanner detection for submitted file
    Source: r5sPBYZoeg.elfReversingLabs: Detection: 47%
    Source: unknownDNS traffic detected: queries for: daisy.ubuntu.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: LOAD without section mappingsProgram segment: 0x400000
    Source: classification engineClassification label: mal72.troj.linELF@0/0@2/0

    Stealing of Sensitive Information

    barindex
    Yara detected ConnectBack
    Source: Yara matchFile source: 5544.1.0000000000400000.0000000000401000.rwx.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Yara detected ConnectBack
    Source: Yara matchFile source: 5544.1.0000000000400000.0000000000401000.rwx.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network Medium1
    Non-Application Layer Protocol    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Application Layer Protocol    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Malware Configuration

    Threatname: ConnectBack

    {"C2": "10.5.31.54:4445"}

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    r5sPBYZoeg.elf47%ReversingLabsLinux.Trojan.AgentSig
    r5sPBYZoeg.elf100%AviraLINUX/AgentSig.GV

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    daisy.ubuntu.com
    		185.125.188.136
    		truefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      daisy.ubuntu.com5w1ZVkWZr0.elfGet hashmaliciousConnectBackBrowse
      • 185.125.188.137
      uY8I5tsPyE.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.136
      aTW6NBHzrR.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      S0wBQZF3m0.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      2UrIdiFYkk.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      kVJm6vAtbZ.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      jDSxdSv24i.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      sora.x86.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      sora.arm7.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      1YAUVrxaRE.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.136
      VDLHJ2DiAp.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      oVj60bn37Z.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.137
      k6u3UrfMBu.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.136
      IJB2Ub1KkE.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      KLKoNDE2QG.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      YG6BL264MC.elfGet hashmaliciousUnknownBrowse
      • 185.125.188.136
      SecuriteInfo.com.Linux.Siggen.9999.22201.31614.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      SecuriteInfo.com.Linux.Siggen.9999.13852.30731.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.137
      6dQ4EzBG7Z.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136
      0PNv3OHIDT.elfGet hashmaliciousMiraiBrowse
      • 185.125.188.136

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
      Entropy (8bit):5.464046134639987
      TrID:
      • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
      • ELF Executable and Linkable format (generic) (4004/1) 49.84%
      File name:r5sPBYZoeg.elf
      File size:302 bytes
      MD5:cb42acc26fc460bf02b00f38ca4b430b
      SHA1:6ed3326e64cabf5cba4c04da4aafcc4e86b07754
      SHA256:4ed5c7939fdaa8ca9cfc6cd0dfe762bb68b58adb434f98c1a28aae53c3b96b00
      SHA512:11327aadb8e862e4c70c6e05e63b38f457afb50f6f81f836c7e5eda4dce8fa7dbd4f01b3c32cd46971f2606c84f8de642d427a511dd3611fb408e282fd07ba97
      SSDEEP:6:BnX//In8/r1/9ammVtbN/ssaSiAWmSfnXsF6NNV9t08q:BvwncrN9oHbN/NaSi1Vnu6NNVw8q
      TLSH:C0E0230B6B60E3C3D10C8E306344033C43D38037989103478F10ACC04C02244CD31E74
      File Content Preview:.ELF..............>.....x.@.....@...................@.8...........................@.......@.............................M1.I.)wc.:..RA....H..f%..H...L.P.I..O1|..M..u.aF.}3...9?..w.Y8.69.=......FP...y.JO....Cv=.?...QL+.rh.R8*i.%.......`...&r:_...w`..c"..qq

      Static ELF Info

      ELF header

      Class:ELF64
      Data:2's complement, little endian
      Version:1 (current)
      Machine:Advanced Micro Devices X86-64
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - System V
      ABI Version:0
      Entry Point Address:0x400078
      Flags:0x0
      ELF Header Size:64
      Program Header Offset:64
      Program Header Size:56
      Number of Program Headers:1
      Section Header Offset:0
      Section Header Size:0
      Number of Section Headers:0
      Header String Table Index:0

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x4000000x4000000x12e0x1e45.46400x7RWE0x1000

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 5, 2023 18:28:39.309745073 CEST435944445192.168.2.1510.5.31.54
      Sep 5, 2023 18:28:40.337572098 CEST435944445192.168.2.1510.5.31.54
      Sep 5, 2023 18:28:42.353532076 CEST435944445192.168.2.1510.5.31.54
      Sep 5, 2023 18:28:46.577672958 CEST435944445192.168.2.1510.5.31.54
      Sep 5, 2023 18:28:54.769951105 CEST435944445192.168.2.1510.5.31.54
      Sep 5, 2023 18:29:10.898530960 CEST435944445192.168.2.1510.5.31.54

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 5, 2023 18:31:19.848263025 CEST5574953192.168.2.151.1.1.1
      Sep 5, 2023 18:31:19.848346949 CEST4635153192.168.2.151.1.1.1
      Sep 5, 2023 18:31:19.968030930 CEST53463511.1.1.1192.168.2.15
      Sep 5, 2023 18:31:19.969556093 CEST53557491.1.1.1192.168.2.15

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Sep 5, 2023 18:31:19.848263025 CEST192.168.2.151.1.1.10x8cfcStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
      Sep 5, 2023 18:31:19.848346949 CEST192.168.2.151.1.1.10x919dStandard query (0)daisy.ubuntu.com28IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Sep 5, 2023 18:31:19.969556093 CEST1.1.1.1192.168.2.150x8cfcNo error (0)daisy.ubuntu.com185.125.188.136A (IP address)IN (0x0001)false
      Sep 5, 2023 18:31:19.969556093 CEST1.1.1.1192.168.2.150x8cfcNo error (0)daisy.ubuntu.com185.125.188.137A (IP address)IN (0x0001)false

      System Behavior

      General

      Start time:16:28:38
      Start date:05/09/2023
      Path:/tmp/r5sPBYZoeg.elf
      Arguments:/tmp/r5sPBYZoeg.elf
      File size:302 bytes
      MD5 hash:cb42acc26fc460bf02b00f38ca4b430b