Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
faith.elf

Overview

General Information

Sample name:faith.elf
Analysis ID:1552223
MD5:342432ebc4caf520ba541c96916af5fa
SHA1:59757a3fcfae595e5b3fb8d2e1cd0295b74b7e62
SHA256:fe5b23807c9eae2b931f7d459d8b94ec2959b055bddc55d027cc6883afbbeacf
Tags:elfuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Manipulation of devices in /dev
Sample deletes itself
ELF contains segments with high entropy indicating compressed/encrypted content
Executes commands using a shell command-line interpreter
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1552223
Start date and time:2024-11-08 14:28:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 19s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:faith.elf
Detection:MAL
Classification:mal64.evad.linELF@0/1@0/0
  • VT rate limit hit for: faith.elf

Runtime Messages

Command:/tmp/faith.elf
PID:5502
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
we gone now
Standard Error:

Process Tree

  • system is lnxubuntu20
  • faith.elf (PID: 5502, Parent: 5420, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/faith.elf
    • sh (PID: 5504, Parent: 5502, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c mount
      • sh New Fork (PID: 5510, Parent: 5504)
      • mount (PID: 5510, Parent: 5504, MD5: 92b20aa8b155ecd3ba9414aa477ef565) Arguments: mount
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: faith.elfAvira: detected
Source: faith.elfReversingLabs: Detection: 36%
Source: LOAD without section mappingsProgram segment: 0x400000
Source: classification engineClassification label: mal64.evad.linELF@0/1@0/0

Data Obfuscation

barindex
Source: /tmp/faith.elf (PID: 5502)Deleted: /dev/test_writeJump to behavior
Source: /tmp/faith.elf (PID: 5502)Written: /dev/test_writeJump to behavior
Source: /tmp/faith.elf (PID: 5504)Shell command executed: sh -c mountJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/faith.elf (PID: 5502)File: /tmp/faith.elfJump to behavior
Source: faith.elfSubmission file: segment LOAD with 7.9127 entropy (max. 8.0)
Source: faith.elfSubmission file: segment LOAD with 7.971 entropy (max. 8.0)
Source: /tmp/faith.elf (PID: 5502)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/mount (PID: 5510)Queries kernel information via 'uname': Jump to behavior
Source: faith.elf, 5502.1.000055ceb9024000.000055ceb90cb000.rw-.sdmp, faith.elf, 5512.1.000055ceb9024000.000055ceb90cb000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: faith.elf, 5502.1.000055ceb9024000.000055ceb90cb000.rw-.sdmp, faith.elf, 5512.1.000055ceb9024000.000055ceb90cb000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mipsel
Source: faith.elf, 5502.1.00007ffe859e0000.00007ffe85a01000.rw-.sdmp, faith.elf, 5512.1.00007ffe859e0000.00007ffe85a01000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel
Source: faith.elf, 5502.1.00007ffe859e0000.00007ffe85a01000.rw-.sdmp, faith.elf, 5512.1.00007ffe859e0000.00007ffe85a01000.rw-.sdmpBinary or memory string: *1x86_64/usr/bin/qemu-mipsel/tmp/faith.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/faith.elf

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		Path Interception1
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
File Deletion		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1552223 Sample: faith.elf Startdate: 08/11/2024 Architecture: LINUX Score: 64 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 7 faith.elf 2->7         started        process3 file4 17 /dev/test_write, PGP 7->17 dropped 23 Manipulation of devices in /dev 7->23 25 Sample deletes itself 7->25 11 faith.elf sh 7->11         started        13 faith.elf 7->13         started        signatures5 process6 process7 15 sh mount 11->15         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
faith.elf37%ReversingLabsLinux.Trojan.Multiverze
faith.elf100%AviraLINUX/AVI.Agent.dqzbs

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

Process:/tmp/faith.elf
File Type:PGP Secret Sub-key -
Category:dropped
Size (bytes):2032
Entropy (8bit):7.898142690393521
Encrypted:false
SSDEEP:48:19Bb+xn0bi2eePNR1Cf1F6r+e0ZzPbbYJsjXRnJ5/qq+dHJ:/BbcFRej1CfjeEPPYyhqNdHJ
MD5:E8E431E6822F0EF76680C0E4B129E1B1
SHA1:8A74CEF33CA13730F1292431A81C79288C204CC6
SHA-256:2768532841AA5A019587E88C73E7D03F68212C815BAF84F7EA00BF62A95D09D3
SHA-512:A6F736AFC154A2B69D0E28DAAB8523F5335F8C54BA18013F93DB171169CF0F27345EC747D8B314EA23E2A102D1E8DE869E460FC6CBCFA0DD6C724CA5F77A0CA5
Malicious:true
Reputation:low
Preview:....r..t..5..D.O.......V.M_...h...rQ.(.P...x?V.......Zf......P................,../.X.I....[.)Ez..3..*.....z'"e.Q...@2...(4.Rz/eeb3o..^w...3"V.sN.t.2.h)5.....|o ..2Ir?Idrl.`..`S..`...........+..]b.......o...JAa.@.A.^.\i.r...7........:.;|<.X'...&k....`t.f..T.........W...)...z.q...r.8tp..;q...F.+..#.rM]...S.2$G.\.A..|Z.s..b.......N^.06...G.S...Z...GnJ1D.F"..#..r9z.o.%{......J..!.*l5n.{..Y..@&...xJ..!.....\GZ}L.......V7.].Q%E..8....V.+...u.kh.h.#NT....`B.......(.x..b.4...5.Q...G....././lC.Gk....!.....#....^{@K.[{....Q.C...A7$T..^.6K.L>...F.b.q.....1.a4..XQ.j.6....9.....U..GS.6S.g.=...._r^...._.B..4.......(.j.nzA.....[.2Z..E@..u..........E.VO.mL....)..G0i..6...sn.I....M.!.*.........-.+.6.v...l.2........8v.FQnC.q.C......v.t4.n>4....z....J....E.....[^50.i.@.....%....%.@j..zO.9..n...A...+..Q!&B....&E0 ....).g..?.`.>j...;.&}.(d....r......%C9..Q..B....k.v2.!...9.w.UPE..).,.j.......w.>.2.....%.CD.......H.$...9e:.ex..]..\y.....Ov.k)t...h|..m2/...M

Static File Info

General

File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):7.971760975190941
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:faith.elf
File size:69'440 bytes
MD5:342432ebc4caf520ba541c96916af5fa
SHA1:59757a3fcfae595e5b3fb8d2e1cd0295b74b7e62
SHA256:fe5b23807c9eae2b931f7d459d8b94ec2959b055bddc55d027cc6883afbbeacf
SHA512:b478988b3d83626f8d5c35d23560d7e0e368033dd0b35212e98db0beabf7e38d1101d42d81345188068a498feabf2d8de4fcdb6a7b3aae370af780d37685a271
SSDEEP:1536:ZLAC/jpWMsTR732Om4H7JPoTFYWGO8qmAd9kJik+KOZJP5NLXFc:ZlsMsT8fhR8qmAd9ywKOZR596
TLSH:8563024DBE3CB7E08764BE38D4E466937F6550D2A0D08BA60730EE81F33AF02658A565
File Content Preview:.ELF....................P.I.4...........4. ...................@...@......*....................I...I....................{1wom.........R...R......_..........?.E.h;....#....3.FR..f....k.N.T.M..i.%0.Zb5..... >2.../..Y...U4.K?..J....<$..C|.-..=.z..^G......#...

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:MIPS R3000
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x49f050
Flags:0x1007
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:2
Section Header Offset:0
Section Header Size:0
Number of Section Headers:0
Header String Table Index:0

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x4000000x4000000x10000x82af87.91270x6RW 0x10000
LOAD0x00x4900000x4900000x103e90x103e97.97100x5R E0x10000

Network Behavior

No network behavior found

System Behavior

General

Start time (UTC):13:29:03
Start date (UTC):08/11/2024
Path:/tmp/faith.elf
Arguments:/tmp/faith.elf
File size:5773336 bytes
MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

File Activities

Process Activities

System Activities

Network Activities


General

Start time (UTC):13:29:03
Start date (UTC):08/11/2024
Path:/tmp/faith.elf
Arguments:-
File size:5773336 bytes
MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

Process Activities


General

Start time (UTC):13:29:03
Start date (UTC):08/11/2024
Path:/bin/sh
Arguments:sh -c mount
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

File Activities

Process Activities


General

Start time (UTC):13:29:03
Start date (UTC):08/11/2024
Path:/bin/sh
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

Process Activities


General

Start time (UTC):13:29:03
Start date (UTC):08/11/2024
Path:/usr/bin/mount
Arguments:mount
File size:55528 bytes
MD5 hash:92b20aa8b155ecd3ba9414aa477ef565

File Activities

Process Activities

System Activities


General

Start time (UTC):13:29:03
Start date (UTC):08/11/2024
Path:/tmp/faith.elf
Arguments:-
File size:5773336 bytes
MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

Process Activities