Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
huRdsUh0To.elf

Overview

General Information

Sample name:huRdsUh0To.elf
renamed because original name is a hash value
Original sample name:368871ecb2b4cf2eed164b237c9a08f7.elf
Analysis ID:1468068
MD5:368871ecb2b4cf2eed164b237c9a08f7
SHA1:4ed0b66a9c583e22a9c2ac4de608c8978587e68b
SHA256:1bf263a378e18338765956896fba41416b8e45a2c332c2d7b078f7e6796560d9
Tags:32armelfmirai
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1468068
Start date and time:2024-07-05 09:53:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 19s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:huRdsUh0To.elf
renamed because original name is a hash value
Original Sample Name:368871ecb2b4cf2eed164b237c9a08f7.elf
Detection:MAL
Classification:mal52.evad.linELF@0/0@2/0

Runtime Messages

Command:/tmp/huRdsUh0To.elf
PID:5427
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • huRdsUh0To.elf (PID: 5427, Parent: 5350, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/huRdsUh0To.elf
  • cleanup

Yara Signatures

No yara matches

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: huRdsUh0To.elfVirustotal: Detection: 34%Perma Link
Source: global trafficTCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: huRdsUh0To.elfString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443
Source: LOAD without section mappingsProgram segment: 0x8000
Source: classification engineClassification label: mal52.evad.linELF@0/0@2/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
Source: huRdsUh0To.elfSubmission file: segment LOAD with 7.7015 entropy (max. 8.0)
Source: /tmp/huRdsUh0To.elf (PID: 5427)Queries kernel information via 'uname': Jump to behavior
Source: huRdsUh0To.elf, 5427.1.00007ffc3c7e0000.00007ffc3c801000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/huRdsUh0To.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/huRdsUh0To.elf
Source: huRdsUh0To.elf, 5427.1.0000556c626a8000.0000556c627d6000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: huRdsUh0To.elf, 5427.1.00007ffc3c7e0000.00007ffc3c801000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: huRdsUh0To.elf, 5427.1.0000556c626a8000.0000556c627d6000.rw-.sdmpBinary or memory string: kblU!/etc/qemu-binfmt/arm
Source: huRdsUh0To.elf, 5427.1.00007ffc3c7e0000.00007ffc3c801000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
huRdsUh0To.elf35%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.nethuRdsUh0To.elftrue
  • URL Reputation: safe
  • URL Reputation: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
185.125.190.26
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
185.125.190.26Okami.x86.elfGet hashmaliciousMiraiBrowse
    RVhzSVGHXK.elfGet hashmaliciousUnknownBrowse
      L3C7fxsGN2.elfGet hashmaliciousUnknownBrowse
        1eMpWRaDQE.elfGet hashmaliciousUnknownBrowse
          AKkzGlDkoX.elfGet hashmaliciousMiraiBrowse
            SecuriteInfo.com.Linux.Siggen.9999.238.620.elfGet hashmaliciousUnknownBrowse
              4B77Ifryut.elfGet hashmaliciousUnknownBrowse
                PgwPHiMZSm.elfGet hashmaliciousMirai, OkiruBrowse
                  xr2xnZhHkh.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                    arm.elfGet hashmaliciousUnknownBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      daisy.ubuntu.comcwrn3EAhWG.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 162.213.35.25
                      x6jMNzbxxv.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.25
                      CSZKlNqI6a.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 162.213.35.24
                      wn617AHvAh.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.25
                      GR3ohG0zV6.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 162.213.35.25
                      8Kio1ZjJpy.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 162.213.35.24
                      9Wz7pT4Bq0.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 162.213.35.25
                      G2B7DhwZh5.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 162.213.35.25
                      MeMyF2fFIz.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 162.213.35.24
                      XP5f3PcAP6.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 162.213.35.25

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CANONICAL-ASGBMBQFNFUI2w.elfGet hashmaliciousUnknownBrowse
                      • 91.189.91.42
                      GDOzdrSF8s.elfGet hashmaliciousUnknownBrowse
                      • 91.189.91.42
                      bx433EvPSR.elfGet hashmaliciousGafgyt, MiraiBrowse
                      • 91.189.91.42
                      6s92F3NQsa.elfGet hashmaliciousUnknownBrowse
                      • 91.189.91.42
                      Okami.arm4.elfGet hashmaliciousMiraiBrowse
                      • 91.189.91.42
                      Okami.i686.elfGet hashmaliciousMiraiBrowse
                      • 91.189.91.42
                      Okami.mpsl.elfGet hashmaliciousMiraiBrowse
                      • 91.189.91.42
                      Okami.sparc.elfGet hashmaliciousMiraiBrowse
                      • 91.189.91.42
                      Okami.x86.elfGet hashmaliciousMiraiBrowse
                      • 185.125.190.26
                      NtjLYDrHzE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                      • 91.189.91.42

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
                      Entropy (8bit):7.694145784506463
                      TrID:
                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                      File name:huRdsUh0To.elf
                      File size:16'012 bytes
                      MD5:368871ecb2b4cf2eed164b237c9a08f7
                      SHA1:4ed0b66a9c583e22a9c2ac4de608c8978587e68b
                      SHA256:1bf263a378e18338765956896fba41416b8e45a2c332c2d7b078f7e6796560d9
                      SHA512:1e2ee07d144726d4f7c02098a5fb60b3d74b30fa26001d3504f0d2b85d22e6661b4d15e86605f0baf91401555c91f4441727380e59d4f8e07bcf22ff9fcd6fa1
                      SSDEEP:384:7qIu0uk7rc5qvB41s9GLAPQuUUxgeaIEjsr:q0N7w5qvB4kXHU4Dksr
                      TLSH:1C72D0E3F5A02012CB285C3BF1BA7DE4350CF5A591D62F51E0F7634A2E4B0119886DF6
                      File Content Preview:.ELF...a..........(.....<...4...........4. ...(......................=...=..............................<u..........Q.td................................UPX!h.......0u..0u......U.........ELF.ra....(........4...s... ........g..g.0.q..._.4.q..F,.@......Q.t.d

                      Static ELF Info

                      ELF header

                      Class:ELF32
                      Data:2's complement, little endian
                      Version:1 (current)
                      Machine:ARM
                      Version Number:0x1
                      Type:EXEC (Executable file)
                      OS/ABI:ARM - ABI
                      ABI Version:0
                      Entry Point Address:0xb43c
                      Flags:0x2
                      ELF Header Size:52
                      Program Header Offset:52
                      Program Header Size:32
                      Number of Program Headers:3
                      Section Header Offset:0
                      Section Header Size:40
                      Number of Section Headers:0
                      Header String Table Index:0

                      Program Segments

                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                      LOAD0x00x80000x80000x3d950x3d957.70150x5R E0x8000
                      LOAD0x00x100000x100000x00x753c0.00000x6RW 0x8000
                      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 5, 2024 09:53:58.945549011 CEST48202443192.168.2.13185.125.190.26
                      Jul 5, 2024 09:54:30.689476967 CEST48202443192.168.2.13185.125.190.26

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 5, 2024 09:53:47.020731926 CEST5338153192.168.2.131.1.1.1
                      Jul 5, 2024 09:53:47.020802975 CEST4814653192.168.2.131.1.1.1
                      Jul 5, 2024 09:53:47.028276920 CEST53481461.1.1.1192.168.2.13
                      Jul 5, 2024 09:53:47.030286074 CEST53533811.1.1.1192.168.2.13

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jul 5, 2024 09:53:47.020731926 CEST192.168.2.131.1.1.10xa5a3Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                      Jul 5, 2024 09:53:47.020802975 CEST192.168.2.131.1.1.10x84c5Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jul 5, 2024 09:53:47.030286074 CEST1.1.1.1192.168.2.130xa5a3No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                      Jul 5, 2024 09:53:47.030286074 CEST1.1.1.1192.168.2.130xa5a3No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                      System Behavior

                      General

                      Start time (UTC):07:53:45
                      Start date (UTC):05/07/2024
                      Path:/tmp/huRdsUh0To.elf
                      Arguments:/tmp/huRdsUh0To.elf
                      File size:4956856 bytes
                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                      Chronological Activities