Edit tour

Linux Analysis Report
hiss.arm5.elf

Overview

General Information

Sample name:hiss.arm5.elf
Analysis ID:1547242
MD5:815c385279338f7d51c93e5af7b8e8e6
SHA1:4c0e47eb6055f0923646926dea684bc1915ed01e
SHA256:705ac32cd81c1ecc73c9085a06c4982ab7cb231d0cc8855d217194282b8d8b3c
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1547242
Start date and time:2024-11-02 04:21:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:hiss.arm5.elf
Detection:MAL
Classification:mal48.linELF@0/1@1/0
Command:/tmp/hiss.arm5.elf
PID:5541
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: hiss.arm5.elfReversingLabs: Detection: 13%
Source: hiss.arm5.elfVirustotal: Detection: 10%Perma Link
Source: hiss.arm5.elfString: W|||self(deleted)/dev/usr//bin//sbin//cmdlinewgetcurlftp/dev/null
Source: global trafficTCP traffic: 192.168.2.14:50190 -> 77.232.39.139:5555
Source: /tmp/hiss.arm5.elf (PID: 5541)Socket: 127.0.0.1:45995Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.39.139
Source: global trafficDNS traffic detected: DNS query: dvrhelpers.su
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/1@1/0
Source: /tmp/hiss.arm5.elf (PID: 5545)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/hiss.arm5.elf (PID: 5545)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/hiss.arm5.elf (PID: 5545)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/hiss.arm5.elf (PID: 5545)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/hiss.arm5.elf (PID: 5545)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/hiss.arm5.elf (PID: 5545)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/hiss.arm5.elf (PID: 5545)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/hiss.arm5.elf (PID: 5545)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/hiss.arm5.elf (PID: 5545)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/hiss.arm5.elf (PID: 5541)Queries kernel information via 'uname': Jump to behavior
Source: hiss.arm5.elf, 5543.1.00007ffd3e658000.00007ffd3e679000.rw-.sdmpBinary or memory string: /tmp/qemu-open.iyvGdj
Source: hiss.arm5.elf, 5543.1.00007ffd3e658000.00007ffd3e679000.rw-.sdmpBinary or memory string: V/tmp/qemu-open.iyvGdj
Source: hiss.arm5.elf, 5541.1.0000560e79090000.0000560e791be000.rw-.sdmp, hiss.arm5.elf, 5543.1.0000560e79090000.0000560e791be000.rw-.sdmp, hiss.arm5.elf, 5545.1.0000560e79090000.0000560e791be000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: hiss.arm5.elf, 5541.1.0000560e79090000.0000560e791be000.rw-.sdmp, hiss.arm5.elf, 5543.1.0000560e79090000.0000560e791be000.rw-.sdmp, hiss.arm5.elf, 5545.1.0000560e79090000.0000560e791be000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/arm
Source: hiss.arm5.elf, 5541.1.00007ffd3e658000.00007ffd3e679000.rw-.sdmp, hiss.arm5.elf, 5543.1.00007ffd3e658000.00007ffd3e679000.rw-.sdmp, hiss.arm5.elf, 5545.1.00007ffd3e658000.00007ffd3e679000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: hiss.arm5.elf, 5541.1.00007ffd3e658000.00007ffd3e679000.rw-.sdmp, hiss.arm5.elf, 5543.1.00007ffd3e658000.00007ffd3e679000.rw-.sdmp, hiss.arm5.elf, 5545.1.00007ffd3e658000.00007ffd3e679000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/hiss.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hiss.arm5.elf
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid AccountsWindows Management Instrumentation1
Scripting
Path InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1547242 Sample: hiss.arm5.elf Startdate: 02/11/2024 Architecture: LINUX Score: 48 15 77.232.39.139, 50190, 5555 EUT-ASEUTIPNetworkRU Russian Federation 2->15 17 dvrhelpers.su 2->17 19 Multi AV Scanner detection for submitted file 2->19 7 hiss.arm5.elf 2->7         started        signatures3 process4 process5 9 hiss.arm5.elf 7->9         started        11 hiss.arm5.elf 7->11         started        13 hiss.arm5.elf 7->13         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
hiss.arm5.elf13%ReversingLabsLinux.Backdoor.Mirai
hiss.arm5.elf11%VirustotalBrowse
No Antivirus matches
SourceDetectionScannerLabelLink
dvrhelpers.su1%VirustotalBrowse
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
dvrhelpers.su
unknown
unknownfalseunknown
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
77.232.39.139
unknownRussian Federation
28968EUT-ASEUTIPNetworkRUfalse
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
EUT-ASEUTIPNetworkRUmeow.arm7.elfGet hashmaliciousUnknownBrowse
  • 77.232.42.137
na.elfGet hashmaliciousUnknownBrowse
  • 77.232.36.152
https://stacksports.captainu.comGet hashmaliciousUnknownBrowse
  • 77.232.36.155
http://blacksaltys.comGet hashmaliciousUnknownBrowse
  • 77.232.36.155
https://imago-technologies.com/Get hashmaliciousUnknownBrowse
  • 77.232.36.155
http://twbcompany.comGet hashmaliciousUnknownBrowse
  • 77.232.36.155
http://www.twbcompany.comGet hashmaliciousUnknownBrowse
  • 77.232.36.155
874A7cigvX.exeGet hashmaliciousTofseeBrowse
  • 77.232.41.29
RSno9EH0K9.exeGet hashmaliciousTofseeBrowse
  • 77.232.41.29
ODy57hA4Su.exeGet hashmaliciousTofseeBrowse
  • 77.232.41.29
No context
No context
Process:/tmp/hiss.arm5.elf
File Type:ASCII text
Category:dropped
Size (bytes):307
Entropy (8bit):3.5155040099364117
Encrypted:false
SSDEEP:6:QVDFVYz7Y/VUS/FYDFVYA/VVmSY/VjmsVot/VOArB/VH:QVUS/FQdlbl
MD5:8FD5A265718244C944355144E147CD33
SHA1:FB5C82E2BAB66044E892722DD328F9351E323F05
SHA-256:F2BD85B38B72F493CE141AE7477FA3F690BD441177D79D6E4AF85ED57030432C
SHA-512:FFBEA369EF8F9A978EE52CE01AEB1F3E94F68496F3D7D69661B7E500CF850ECE3B2F55B7E711BB3D56CF30795EB4EFFDBA278BD402D7E8C6B9F163A0FFFC6BF7
Malicious:false
Reputation:low
Preview:8000-1c000 r-xp 00000000 fd:00 531606 /tmp/hiss.arm5.elf.23000-24000 rw-p 00013000 fd:00 531606 /tmp/hiss.arm5.elf.24000-27000 rw-p 00000000 00:00 0 .27000-29000 rw-p 00000000 00:00 0 .ff7ef000-ff7f0000 ---p 00000000 00:00 0 .ff7f0000-ffff0000 rw-p 00000000 00:00 0 [stack].
File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy (8bit):6.096836786087627
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:hiss.arm5.elf
File size:79'832 bytes
MD5:815c385279338f7d51c93e5af7b8e8e6
SHA1:4c0e47eb6055f0923646926dea684bc1915ed01e
SHA256:705ac32cd81c1ecc73c9085a06c4982ab7cb231d0cc8855d217194282b8d8b3c
SHA512:4ddd4e954aa03d59bf865c1a30b1016da74548b1d75990e419c1bc1f383c569a6bb0d03ddd63ac97f3a7bba8165bfc5af24d5f9fc154f0ccb1da94f37c21f3e8
SSDEEP:1536:KTnP6MOxp/P82urtBBIHG3XKMaVxZ5ByF5F46jLvQ5ADFEYMMKAcODgZpAk9NyYw:RME90tW6aVHC46jrhMZpAkzyhbui
TLSH:A0732996BC409B26D5D017BEFE1E528D33131FB8E2EA32029D156F207B9A91F0E3B541
File Content Preview:.ELF..............(.....l...4....5......4. ...(........p.3..........................................l4..l4..............l4..l4..l4.......'..........Q.td.............................@-..@............/..@-.,@...0....S..... 0....S.........../..0...0...@..../

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:ARM
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x816c
Flags:0x4000002
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:4
Section Header Offset:79232
Section Header Size:40
Number of Section Headers:15
Header String Table Index:14
NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.initPROGBITS0x80b40xb40x140x00x6AX001
.textPROGBITS0x80c80xc80x120600x00x6AX008
.finiPROGBITS0x1a1280x121280x140x00x6AX001
.rodataPROGBITS0x1a13c0x1213c0x12680x00x2A004
.ARM.exidxARM_EXIDX0x1b3a40x133a40xc80x00x82AL204
.eh_framePROGBITS0x2346c0x1346c0x40x00x3WA004
.init_arrayINIT_ARRAY0x234700x134700x40x00x3WA004
.fini_arrayFINI_ARRAY0x234740x134740x40x00x3WA004
.jcrPROGBITS0x234780x134780x40x00x3WA004
.gotPROGBITS0x2347c0x1347c0x280x40x3WA004
.dataPROGBITS0x234a40x134a40x500x00x3WA004
.bssNOBITS0x234f80x134f40x27480x00x3WA008
.ARM.attributesARM_ATTRIBUTES0x00x134f40x140x00x0001
.shstrtabSTRTAB0x00x135080x770x00x0001
TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
EXIDX0x133a40x1b3a40x1b3a40xc80xc84.34180x4R 0x4.ARM.exidx
LOAD0x00x80000x80000x1346c0x1346c6.11020x5R E0x8000.init .text .fini .rodata .ARM.exidx
LOAD0x1346c0x2346c0x2346c0x880x27d43.24740x6RW 0x8000.eh_frame .init_array .fini_array .jcr .got .data .bss
GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

Download Network PCAP: filteredfull

  • Total Packets: 17
  • 5555 undefined
  • 53 (DNS)
TimestampSource PortDest PortSource IPDest IP
Nov 2, 2024 04:22:11.207118988 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:22:11.212095022 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:22:11.212162018 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:22:13.227698088 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:22:13.232790947 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:22:13.232886076 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:22:13.237867117 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:22:33.250188112 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:22:33.255476952 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:22:33.646661997 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:22:33.646836042 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:22:53.665648937 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:22:53.670447111 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:22:54.058636904 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:22:54.058747053 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:23:14.078602076 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:23:14.083645105 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:23:14.472527981 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:23:14.472820044 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:23:34.492624998 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:23:34.498574018 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:23:34.885751009 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:23:34.885888100 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:23:54.905411005 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:23:54.910317898 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:23:55.297092915 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:23:55.297207117 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:24:15.316771030 CET501905555192.168.2.1477.232.39.139
Nov 2, 2024 04:24:15.321573019 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:24:15.708697081 CET55555019077.232.39.139192.168.2.14
Nov 2, 2024 04:24:15.708842993 CET501905555192.168.2.1477.232.39.139
TimestampSource PortDest PortSource IPDest IP
Nov 2, 2024 04:22:11.184125900 CET4320753192.168.2.148.8.8.8
Nov 2, 2024 04:22:11.194730997 CET53432078.8.8.8192.168.2.14
TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Nov 2, 2024 04:22:11.184125900 CET192.168.2.148.8.8.80x7f5bStandard query (0)dvrhelpers.suA (IP address)IN (0x0001)false

System Behavior

Start time (UTC):03:22:10
Start date (UTC):02/11/2024
Path:/tmp/hiss.arm5.elf
Arguments:/tmp/hiss.arm5.elf
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):03:22:10
Start date (UTC):02/11/2024
Path:/tmp/hiss.arm5.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):03:22:10
Start date (UTC):02/11/2024
Path:/tmp/hiss.arm5.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):03:22:10
Start date (UTC):02/11/2024
Path:/tmp/hiss.arm5.elf
Arguments:-
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1