Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
spc.elf

Overview

General Information

Sample name:spc.elf
Analysis ID:1541766
MD5:918e921ea02fc815bb55abf5b9ba64c0
SHA1:e884498a1fa4c0047b5828cf550f42ba90038e39
SHA256:f0305ffdd7c9017393eaacb7a8888957f88cb093978f4cb949473a06b948efaf
Tags:elfuser-abuse_ch

Detection

Score:1
Range:0 - 100
Whitelisted:false

Signatures

Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541766
Start date and time:2024-10-25 05:58:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:spc.elf
Detection:CLEAN
Classification:clean1.linELF@0/0@0/0

Runtime Messages

Command:/tmp/spc.elf
PID:5436
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • spc.elf (PID: 5436, Parent: 5361, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/spc.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: clean1.linELF@0/0@0/0
Source: /tmp/spc.elf (PID: 5436)Queries kernel information via 'uname': Jump to behavior
Source: spc.elf, 5436.1.0000559df76b7000.0000559df771c000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sparc
Source: spc.elf, 5436.1.0000559df76b7000.0000559df771c000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/sparc
Source: spc.elf, 5436.1.00007ffe3ad2c000.00007ffe3ad4d000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sparc/tmp/spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/spc.elf
Source: spc.elf, 5436.1.00007ffe3ad2c000.00007ffe3ad4d000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sparc

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1541766 Sample: spc.elf Startdate: 25/10/2024 Architecture: LINUX Score: 1 4 spc.elf 2->4         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
spc.elf8%ReversingLabsLinux.Backdoor.Mirai
spc.elf5%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):5.856490714952058
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:spc.elf
File size:71'356 bytes
MD5:918e921ea02fc815bb55abf5b9ba64c0
SHA1:e884498a1fa4c0047b5828cf550f42ba90038e39
SHA256:f0305ffdd7c9017393eaacb7a8888957f88cb093978f4cb949473a06b948efaf
SHA512:e2295ed76b71e6f81cf3a8dd96274d5d1df261157543767e58d4b2a5afed5df1d4449a236647f16b7a19313e10207ae629a29a4d264f71d7b56f7fe233a275b0
SSDEEP:1536:3JBeOIxtlTR4VX3IMCyksIiUE8sWmt9gOaB:He7xtl94VIxlEDaB
TLSH:90632A627BA50A3BC9E0553D50E7932BF2FA47892478820B7A918D8C7F9CD6131537E8
File Content Preview:.ELF...........................4.........4. ...(.......................................................4..3................H...H...H................dt.Q................................@..(....@.=(................#.....`8..`.....!.....",..@.....".........`

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, big endian
Version:1 (current)
Machine:Sparc
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x101c4
Flags:0x0
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:4
Section Header Offset:70796
Section Header Size:40
Number of Section Headers:14
Header String Table Index:13

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.initPROGBITS0x100b40xb40x1c0x00x6AX004
.textPROGBITS0x100d00xd00xf4d80x00x6AX004
.finiPROGBITS0x1f5a80xf5a80x140x00x6AX004
.rodataPROGBITS0x1f5c00xf5c00x13100x00x2A008
.eh_framePROGBITS0x210000x110000x480x00x3WA004
.tbssNOBITS0x210480x110480x80x00x403WAT004
.ctorsPROGBITS0x210480x110480x80x00x3WA004
.dtorsPROGBITS0x210500x110500x80x00x3WA004
.jcrPROGBITS0x210580x110580x40x00x3WA004
.gotPROGBITS0x2105c0x1105c0x1c80x40x3WA004
.dataPROGBITS0x212280x112280x20c0x00x3WA008
.bssNOBITS0x214380x114340x2f480x00x3WA008
.shstrtabSTRTAB0x00x114340x580x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x100000x100000x108d00x108d05.96870x5R E0x1000.init .text .fini .rodata
LOAD0x110000x210000x210000x4340x33804.41470x6RW 0x1000.eh_frame .tbss .ctors .dtors .jcr .got .data .bss
TLS0x110480x210480x210480x00x80.00000x4R 0x4.tbss
GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

Network Behavior

No network behavior found

System Behavior

General

Start time (UTC):03:58:58
Start date (UTC):25/10/2024
Path:/tmp/spc.elf
Arguments:/tmp/spc.elf
File size:4379400 bytes
MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities