Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
mipsel.elf

Overview

General Information

Sample name:mipsel.elf
Analysis ID:1544066
MD5:b273d21df6a48d1d2d29b1f785f8c25e
SHA1:c044d8d910ec0a2b2870086f5737dc035dff12b0
SHA256:46c7f4cb6c058dc810da6b4d5bc970cc52effd1f6d58308d02c18ba51ef1c591
Tags:elfuser-abuse_ch

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544066
Start date and time:2024-10-28 19:23:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:mipsel.elf
Detection:MAL
Classification:mal52.evad.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: mipsel.elf

Runtime Messages

Command:/tmp/mipsel.elf
PID:5495
Exit Code:2
Exit Code Info:
Killed:False
Standard Output:

Standard Error:fatal error: sigaction failed

runtime stack:
runtime.throw({0x382b3f, 0x10})
C:/Program Files/Go/src/runtime/panic.go:1077 +0x54 fp=0x7fffecdc sp=0x7fffecc8 pc=0x5a40c
runtime.sysSigaction.func1()
C:/Program Files/Go/src/runtime/os_linux.go:560 +0x4c fp=0x7fffece8 sp=0x7fffecdc pc=0x95d64
runtime.sysSigaction(0x41, 0x7fffed10, 0x0)
C:/Program Files/Go/src/runtime/os_linux.go:559 +0x7c fp=0x7fffed00 sp=0x7fffece8 pc=0x569dc
runtime.sigaction(...)
C:/Program Files/Go/src/runtime/sigaction.go:15
runtime.setsig(0x41, 0x78f80)
C:/Program Files/Go/src/runtime/os_linux.go:507 +0xbc fp=0x7fffed2c sp=0x7fffed00 pc=0x568a8
runtime.initsig(0x0)
C:/Program Files/Go/src/runtime/signal_unix.go:148 +0x2c0 fp=0x7fffed68 sp=0x7fffed2c pc=0x785cc
runtime.mstartm0()
C:/Program Files/Go/src/runtime/proc.go:1624 +0x70 fp=0x7fffed70 sp=0x7fffed68 pc=0x62394
runtime.mstart1()
C:/Program Files/Go/src/runtime/proc.go:1596 +0x94 fp=0x7fffed80 sp=0x7fffed70 pc=0x6228c
runtime.mstart0()
C:/Program Files/Go/src/runtime/proc.go:1557 +0x7c fp=0x7fffed94 sp=0x7fffed80 pc=0x621d8
runtime.mstart()
C:/Program Files/Go/src/runtime/asm_mipsx.s:89 +0x14 fp=0x7fffed98 sp=0x7fffed94 pc=0x9d424

goroutine 1 [runnable]:
runtime.main()
C:/Program Files/Go/src/runtime/proc.go:144 fp=0x5b4227ec sp=0x5b4227ec pc=0x5e2f0
runtime.goexit()
C:/Program Files/Go/src/runtime/asm_mipsx.s:641 +0x4 fp=0x5b4227ec sp=0x5b4227ec pc=0x9f858

Process Tree

  • system is lnxubuntu20
  • mipsel.elf (PID: 5495, Parent: 5419, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mipsel.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: mipsel.elfReversingLabs: Detection: 15%
Source: mipsel.elf, 5495.1.00007f3fb4540000.00007f3fb45a7000.rw-.sdmpString found in binary or memory: http://.css
Source: mipsel.elf, 5495.1.00007f3fb4540000.00007f3fb45a7000.rw-.sdmpString found in binary or memory: http://.jpg
Source: mipsel.elf, 5495.1.00007f3fb4540000.00007f3fb45a7000.rw-.sdmpString found in binary or memory: http://html4/loose.dtd
Source: mipsel.elfString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x10000
Source: mipsel.elfBinary or memory string: 'oh.SlNA
Source: classification engineClassification label: mal52.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: mipsel.elfSubmission file: segment LOAD with 7.8845 entropy (max. 8.0)
Source: /tmp/mipsel.elf (PID: 5495)Queries kernel information via 'uname': Jump to behavior
Source: mipsel.elf, 5495.1.000055d3cdde6000.000055d3ce0e9000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: mipsel.elf, 5495.1.000055d3cdde6000.000055d3ce0e9000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mipsel
Source: mipsel.elf, 5495.1.00007fff430d6000.00007fff430f7000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mipsel.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mipsel.elf
Source: mipsel.elf, 5495.1.00007fff430d6000.00007fff430f7000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
mipsel.elf16%ReversingLabsLinux.Trojan.Generic

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://html4/loose.dtdmipsel.elf, 5495.1.00007f3fb4540000.00007f3fb45a7000.rw-.sdmpfalse
    		unknown
    http://upx.sf.netmipsel.elftrue
    • URL Reputation: safe
    		unknown
    http://.cssmipsel.elf, 5495.1.00007f3fb4540000.00007f3fb45a7000.rw-.sdmpfalse
      		unknown
      http://.jpgmipsel.elf, 5495.1.00007f3fb4540000.00007f3fb45a7000.rw-.sdmpfalse
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, no section header
        Entropy (8bit):7.884424247978719
        TrID:
        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
        File name:mipsel.elf
        File size:1'824'684 bytes
        MD5:b273d21df6a48d1d2d29b1f785f8c25e
        SHA1:c044d8d910ec0a2b2870086f5737dc035dff12b0
        SHA256:46c7f4cb6c058dc810da6b4d5bc970cc52effd1f6d58308d02c18ba51ef1c591
        SHA512:aa57ad63fda1657ea145458cc0bcbb63b1cb083658782f16c0ddf12bed6372f1735e824b0b870cf2a4328683e00169fddcdf4e2650ea0d969ba01bf6341173c1
        SSDEEP:49152:ayYujGZpfmkpue3HULl8OdqaIGxkAwoS8:aaGTekMgulsa3xJa8
        TLSH:4E8533EE4705A8E45BECDB2837A7ABA0981FD89C1480DC790A4F71673973F3996B104D
        File Content Preview:.ELF........................4..........P4. ...(....................."..."................h...hZ..hZ.....................UPX!..........X...X.............w....ELF...............4......P. ...(........{.4.......\.t.......d.....M......0.'._.l?1.2t.!..F..?S.T.2

        Static ELF Info

        ELF header

        Class:ELF32
        Data:2's complement, little endian
        Version:1 (current)
        Machine:MIPS R3000
        Version Number:0x1
        Type:EXEC (Executable file)
        OS/ABI:UNIX - System V
        ABI Version:0
        Entry Point Address:0x1ccda8
        Flags:0x50001004
        ELF Header Size:52
        Program Header Offset:52
        Program Header Size:32
        Number of Program Headers:2
        Section Header Offset:0
        Section Header Size:40
        Number of Section Headers:0
        Header String Table Index:0

        Program Segments

        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x100000x100000x1bd7220x1bd7227.88450x5R E0x10000
        LOAD0x68e80x5a68e80x5a68e80x00x00.00000x6RW 0x10000

        Network Behavior

        No network behavior found

        System Behavior

        General

        Start time (UTC):18:23:58
        Start date (UTC):28/10/2024
        Path:/tmp/mipsel.elf
        Arguments:/tmp/mipsel.elf
        File size:5773336 bytes
        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

        Chronological Activities