Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
tftp.elf

Overview

General Information

Sample name:tftp.elf
Analysis ID:1544257
MD5:46423fa406370c440548d5c485e0533a
SHA1:88e69c243904bd86112ddc50ee2be549258f8fb6
SHA256:a6dfb29992ad42592e40c11c66a6389414919f145f3cabea21e91d9134463f53
Tags:elfuser-abuse_ch
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false

Signatures

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544257
Start date and time:2024-10-29 06:07:04 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:tftp.elf
Detection:CLEAN
Classification:clean1.linELF@0/0@2/0

Runtime Messages

Command:/tmp/tftp.elf
PID:5431
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • tftp.elf (PID: 5431, Parent: 5358, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/tftp.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: Initial sampleString containing 'busybox' found: busybox_main
Source: Initial sampleString containing 'busybox' found: _fini__uClibc_mainbb_applet_namerun_applet_by_namebb_error_msg_and_diebeen_there_done_thatstderrbb_msg_full_versionappletsfputsbb_strlenmemmovememsetusage_messagesstrcmpbsearchfind_applet_by_namebb_show_usagebusybox_maintest_maincat_mainchmod_mainchown_mainclear_maincp_maindate_maindf_maindu_mainecho_mainenv_mainfalse_mainhalt_mainhostname_mainifconfig_maininit_maininsmod_mainkill_mainln_mainls_mainlsmod_mainmesg_mainmkdir_mainmknod_mainmodprobe_mainmore_mainmsh_mainmv_mainnetstat_mainnslookup_mainping_mainpoweroff_mainps_mainpwd_mainreboot_mainreset_mainrm_mainrmdir_mainrmmod_mainstart_stop_daemon_mainstty_maintail_maintelnet_maintftp_maintop_maintouch_maintrue_mainumount_mainuname_mainuptime_mainwhoami_mainbb_getopt_ulflagsoptindbb_wfopen_inputfilenobb_copyfd_eofbb_fclose_nonstdinbb_parse_modechmodbb_perror_msgrecursive_actionlchownstrchrget_ug_idmy_getgrnammy_getpwnamlstatcp_mv_stat2cp_mv_statbb_get_last_path_componentconcat_path_filecopy_filefreebb_opt_complementalyputenvbb_perror_msg_and_dielocaltimememc
Source: classification engineClassification label: clean1.linELF@0/0@2/0
Source: /tmp/tftp.elf (PID: 5431)Queries kernel information via 'uname': Jump to behavior
Source: tftp.elf, 5431.1.000055a3bb616000.000055a3bb67a000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
Source: tftp.elf, 5431.1.000055a3bb616000.000055a3bb67a000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: tftp.elf, 5431.1.00007ffc4da1b000.00007ffc4da3c000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: tftp.elf, 5431.1.00007ffc4da1b000.00007ffc4da3c000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/tftp.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tftp.elf

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544257 Sample: tftp.elf Startdate: 29/10/2024 Architecture: LINUX Score: 1 7 daisy.ubuntu.com 2->7 5 tftp.elf 2->5         started        process3

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
tftp.elf0%ReversingLabs

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
daisy.ubuntu.comboatnet.arm7.elfGet hashmaliciousMiraiBrowse
  • 162.213.35.25
bot.spc.elfGet hashmaliciousMirai, OkiruBrowse
  • 162.213.35.24
m68k.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
main_arm6.elfGet hashmaliciousMiraiBrowse
  • 162.213.35.25
bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
  • 162.213.35.24
bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
  • 162.213.35.24
sshd.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
.i.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 162.213.35.25
na.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 162.213.35.25

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, missing section headers at 243968
Entropy (8bit):5.355240899929479
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:tftp.elf
File size:102'400 bytes
MD5:46423fa406370c440548d5c485e0533a
SHA1:88e69c243904bd86112ddc50ee2be549258f8fb6
SHA256:a6dfb29992ad42592e40c11c66a6389414919f145f3cabea21e91d9134463f53
SHA512:611ba74bd9bb82bad3f9464b31bb2836c603071eb6cb41753dd09b3d06d24953b3f3d3d586feb2023d434316ec6c908e6d786c17deed3862588993fd25eb5a04
SSDEEP:1536:fmdurU07J8MtqHxqGPkncW/RVi/wJz8H6xVRFOr4kp6kyId:fma7JLqHxcncWZViTH6xVRFOR6kyg
TLSH:FFA3825E7A218F7DF6B8C73497FB1B34A77922CA2A91C580D1ACD5012E2434D981FF68
File Content Preview:.ELF.....................@7....4....P....4. ...(...........4.@.4.@.4.........................@...@..................p......(.@.(.@.(.........................@...@....a...a...............a..Da..Da.......N0...............@.@.@.@.@...........................

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 29, 2024 06:07:54.480597973 CET4469853192.168.2.131.1.1.1
Oct 29, 2024 06:07:54.480695963 CET3381153192.168.2.131.1.1.1
Oct 29, 2024 06:07:54.488600016 CET53338111.1.1.1192.168.2.13
Oct 29, 2024 06:07:54.488699913 CET53446981.1.1.1192.168.2.13

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Oct 29, 2024 06:07:54.480597973 CET192.168.2.131.1.1.10x4459Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
Oct 29, 2024 06:07:54.480695963 CET192.168.2.131.1.1.10x6eb0Standard query (0)daisy.ubuntu.com28IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 29, 2024 06:07:54.488699913 CET1.1.1.1192.168.2.130x4459No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
Oct 29, 2024 06:07:54.488699913 CET1.1.1.1192.168.2.130x4459No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

System Behavior

General

Start time (UTC):05:07:52
Start date (UTC):29/10/2024
Path:/tmp/tftp.elf
Arguments:/tmp/tftp.elf
File size:5777432 bytes
MD5 hash:0083f1f0e77be34ad27f849842bbb00c

Chronological Activities