Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
mipsel64.elf

Overview

General Information

Sample name:mipsel64.elf
Analysis ID:1575395
MD5:c57f13ec58d8505c72097cc0fc38026e
SHA1:247ffd722d6592c2e3f532c3b4126cbe6cbadfca
SHA256:29134e07ec360c58515582692bfad64a6710c2469138b7a5a5edf60120f3f866
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1575395
Start date and time:2024-12-15 13:16:20 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 47s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:mipsel64.elf
Detection:MAL
Classification:mal52.spyw.evad.linELF@0/0@1/0
Command:/tmp/mipsel64.elf
PID:5558
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Firmware update in progress
Standard Error:
  • system is lnxubuntu20
  • mipsel64.elf (PID: 5558, Parent: 5483, MD5: d88bbe97c637fddd210e2a7eb79a9fdf) Arguments: /tmp/mipsel64.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Networking

barindex
Source: /tmp/mipsel64.elf (PID: 5562)Opens: /sys/class/net/Jump to behavior
Source: /tmp/mipsel64.elf (PID: 5562)Opens: /sys/class/net/ens160/addressJump to behavior
Source: /tmp/mipsel64.elf (PID: 5562)Opens: /sys/class/net/ens160/flagsJump to behavior
Source: /tmp/mipsel64.elf (PID: 5562)Opens: /sys/class/net/ens160/carrierJump to behavior
Source: global trafficTCP traffic: 192.168.2.15:43212 -> 5.230.251.14:9001
Source: unknownTCP traffic detected without corresponding DNS query: 5.230.251.14
Source: unknownTCP traffic detected without corresponding DNS query: 5.230.251.14
Source: unknownTCP traffic detected without corresponding DNS query: 5.230.251.14
Source: unknownTCP traffic detected without corresponding DNS query: 5.230.251.14
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownTCP traffic detected without corresponding DNS query: 5.230.251.14
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownUDP traffic detected without corresponding DNS query: 172.217.192.127
Source: unknownUDP traffic detected without corresponding DNS query: 217.160.70.42
Source: global trafficDNS traffic detected: DNS query: iranistrash.libre
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.spyw.evad.linELF@0/0@1/0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/mipsel64.elf (PID: 5558)File: /tmp/mipsel64.elfJump to behavior
Source: /tmp/mipsel64.elf (PID: 5558)Queries kernel information via 'uname': Jump to behavior
Source: /tmp/mipsel64.elf (PID: 5562)Queries kernel information via 'uname': Jump to behavior
Source: mipsel64.elf, 5558.1.00007ffea0c42000.00007ffea0c63000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsn32el/tmp/mipsel64.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mipsel64.elf
Source: mipsel64.elf, 5558.1.00005560d928e000.00005560d9335000.rw-.sdmpBinary or memory string: `U1MIPS64R2-generic-mips64-cpu1/etc/qemu-binfmt/mipsn32el
Source: mipsel64.elf, 5558.1.00005560d928e000.00005560d9335000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsn32el
Source: mipsel64.elf, 5558.1.00007ffea0c42000.00007ffea0c63000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsn32el

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: iranistrash.libre
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575395 Sample: mipsel64.elf Startdate: 15/12/2024 Architecture: LINUX Score: 52 18 iranistrash.libre 2->18 20 86.104.72.130, 1935, 50944 TELE-ROM-ASstrAleeaPaciiBlB5Ap16RO Romania 2->20 22 2 other IPs or domains 2->22 8 mipsel64.elf 2->8         started        signatures3 24 Performs DNS TXT record lookups 18->24 process4 signatures5 26 Sample deletes itself 8->26 11 mipsel64.elf 8->11         started        process6 signatures7 28 Opens /sys/class/net/* files useful for querying network interface information 11->28 14 mipsel64.elf 11->14         started        16 mipsel64.elf 11->16         started        process8
SourceDetectionScannerLabelLink
mipsel64.elf8%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
iranistrash.libre
unknown
unknownfalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    172.217.192.127
    unknownUnited States
    15169GOOGLEUSfalse
    86.104.72.130
    unknownRomania
    50636TELE-ROM-ASstrAleeaPaciiBlB5Ap16ROfalse
    5.230.251.14
    unknownGermany
    12586ASGHOSTNETDEfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    86.104.72.130sparc.elfGet hashmaliciousUnknownBrowse
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      TELE-ROM-ASstrAleeaPaciiBlB5Ap16ROsparc.elfGet hashmaliciousUnknownBrowse
      • 86.104.72.130
      RHxJqGoGFB.exeGet hashmaliciousSalityBrowse
      • 86.104.74.51
      uniswap-sniper-bot-with-gui Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
      • 86.104.74.51
      uniswap-sniper-bot-with-gui Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
      • 86.104.74.51
      na.htaGet hashmaliciousMetasploitBrowse
      • 86.104.74.31
      g4nWvGoRNZ.exeGet hashmaliciousRemcosBrowse
      • 86.104.72.183
      5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeGet hashmaliciousRemcosBrowse
      • 86.104.72.183
      aqB7l6kvXl.exeGet hashmaliciousRemcosBrowse
      • 86.104.72.183
      https://libidotechnexus.com/cdn-vs/cache.phpGet hashmaliciousUnknownBrowse
      • 86.104.72.5
      v65EwoFOxj.exeGet hashmaliciousMetasploit, MeterpreterBrowse
      • 86.104.74.31
      ASGHOSTNETDEjmggnxeedy.elfGet hashmaliciousUnknownBrowse
      • 94.249.207.54
      la.bot.mips.elfGet hashmaliciousUnknownBrowse
      • 94.249.188.214
      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
      • 195.200.192.218
      arm5.elfGet hashmaliciousUnknownBrowse
      • 5.83.147.14
      mpsl.elfGet hashmaliciousUnknownBrowse
      • 5.83.147.14
      arm7.elfGet hashmaliciousMiraiBrowse
      • 5.83.147.14
      x86.elfGet hashmaliciousUnknownBrowse
      • 5.83.147.14
      mips.elfGet hashmaliciousUnknownBrowse
      • 5.83.147.14
      arm.elfGet hashmaliciousUnknownBrowse
      • 5.83.147.14
      Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
      • 37.114.57.182
      No context
      No context
      No created / dropped files found
      File type:ELF 32-bit LSB executable, MIPS, N32 MIPS64 version 1 (SYSV), statically linked, stripped
      Entropy (8bit):5.850218304088202
      TrID:
      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
      File name:mipsel64.elf
      File size:144'116 bytes
      MD5:c57f13ec58d8505c72097cc0fc38026e
      SHA1:247ffd722d6592c2e3f532c3b4126cbe6cbadfca
      SHA256:29134e07ec360c58515582692bfad64a6710c2469138b7a5a5edf60120f3f866
      SHA512:6c8968b033dc4d1ef8be2b686592a8e3cca8e54ea01493791d539699784b82cff237c33cedfa7f67efaba92acdcf345243cdb53d21e1a1e817a9d913ad13c87c
      SSDEEP:1536:WHZzXYw+Kd3HgVUpaEyJqMo+9+5DXDIrlrNl3b/Cpeoj4Psfn5PwzMENI7ynCsc8:WHZr+k3clxl3b6ZPcSynGoo8wbwq/J
      TLSH:C2E33B87FC0A0E89F06ECEF4866DC7D73D5125EB62B6D931829C4DD97B1B2680E87484
      File Content Preview:.ELF........................4....0..'..`4. ...(........p.............................................$...$...............)...)...)..d....S...............)...)...)..................Q.td..................................@........................'.......<!..

      ELF header

      Class:ELF32
      Data:2's complement, little endian
      Version:1 (current)
      Machine:MIPS R3000
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - System V
      ABI Version:0
      Entry Point Address:0x100008f0
      Flags:0x60000027
      ELF Header Size:52
      Program Header Offset:52
      Program Header Size:32
      Number of Program Headers:5
      Section Header Offset:143516
      Section Header Size:40
      Number of Section Headers:15
      Header String Table Index:14
      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
      NULL0x00x00x00x00x0000
      .MIPS.abiflagsMIPS_ABIFLAGS0x100000d80xd80x180x180x2A008
      .initPROGBITS0x100000f00xf00x680x00x6AX008
      .textPROGBITS0x100001600x1600x19f300x00x6AX0016
      .finiPROGBITS0x1001a0900x1a0900x480x00x6AX008
      .rodataPROGBITS0x1001a0e00x1a0e00x84000x00x2A0016
      .tbssNOBITS0x100329b80x229b80x80x00x403WAT004
      .ctorsPROGBITS0x100329b80x229b80x80x00x3WA004
      .dtorsPROGBITS0x100329c00x229c00x80x00x3WA004
      .dataPROGBITS0x100329d00x229d00x1d80x00x3WA0016
      .gotPROGBITS0x10032bb00x22bb00x46c0x40x10000003WAp0016
      .sbssNOBITS0x1003301c0x2301c0x2c0x00x10000003WAp004
      .bssNOBITS0x100330500x2301c0x4d500x00x3WA0016
      .gnu.attributesGNU_ATTRIBUTES0x00x2301c0x100x00x0001
      .shstrtabSTRTAB0x00x2302c0x6e0x00x0001
      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      ABIFLAGS0xd80x100000d80x100000d80x180x181.17610x4R 0x8.MIPS.abiflags
      LOAD0x00x100000000x100000000x224e00x224e05.89670x5R E0x10000.MIPS.abiflags .init .text .fini .rodata
      LOAD0x229b80x100329b80x100329b80x6640x53e84.39930x6RW 0x10000.tbss .ctors .dtors .data .got .sbss .bss
      TLS0x229b80x100329b80x100329b80x00x80.00000x4R 0x4.tbss
      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
      TimestampSource PortDest PortSource IPDest IP
      Dec 15, 2024 13:17:27.217780113 CET432129001192.168.2.155.230.251.14
      Dec 15, 2024 13:17:27.337512970 CET9001432125.230.251.14192.168.2.15
      Dec 15, 2024 13:17:27.337625980 CET432129001192.168.2.155.230.251.14
      Dec 15, 2024 13:17:27.338129997 CET432129001192.168.2.155.230.251.14
      Dec 15, 2024 13:17:27.457891941 CET9001432125.230.251.14192.168.2.15
      Dec 15, 2024 13:17:37.348362923 CET432129001192.168.2.155.230.251.14
      Dec 15, 2024 13:17:37.512311935 CET9001432125.230.251.14192.168.2.15
      Dec 15, 2024 13:17:38.351038933 CET509441935192.168.2.1586.104.72.130
      Dec 15, 2024 13:17:38.470946074 CET19355094486.104.72.130192.168.2.15
      Dec 15, 2024 13:17:38.471071959 CET509441935192.168.2.1586.104.72.130
      Dec 15, 2024 13:17:38.471111059 CET509441935192.168.2.1586.104.72.130
      Dec 15, 2024 13:17:38.591388941 CET19355094486.104.72.130192.168.2.15
      Dec 15, 2024 13:17:39.560213089 CET19355094486.104.72.130192.168.2.15
      Dec 15, 2024 13:17:39.560286045 CET509441935192.168.2.1586.104.72.130
      Dec 15, 2024 13:17:49.252398014 CET9001432125.230.251.14192.168.2.15
      Dec 15, 2024 13:17:49.252530098 CET432129001192.168.2.155.230.251.14
      Dec 15, 2024 13:18:49.627892971 CET509441935192.168.2.1586.104.72.130
      Dec 15, 2024 13:18:49.748303890 CET19355094486.104.72.130192.168.2.15
      Dec 15, 2024 13:18:49.945331097 CET19355094486.104.72.130192.168.2.15
      Dec 15, 2024 13:18:49.945771933 CET509441935192.168.2.1586.104.72.130
      TimestampSource PortDest PortSource IPDest IP
      Dec 15, 2024 13:17:25.736345053 CET196683478192.168.2.15172.217.192.127
      Dec 15, 2024 13:17:26.938930988 CET347819668172.217.192.127192.168.2.15
      Dec 15, 2024 13:17:26.969463110 CET5795953192.168.2.15217.160.70.42
      Dec 15, 2024 13:17:27.216026068 CET5357959217.160.70.42192.168.2.15
      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Dec 15, 2024 13:17:26.969463110 CET192.168.2.15217.160.70.420x30b2Standard query (0)iranistrash.libre16IN (0x0001)false
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Dec 15, 2024 13:17:27.216026068 CET217.160.70.42192.168.2.150x30b2No error (0)iranistrash.libreTXT (Text strings)IN (0x0001)false

      System Behavior

      Start time (UTC):12:17:22
      Start date (UTC):15/12/2024
      Path:/tmp/mipsel64.elf
      Arguments:/tmp/mipsel64.elf
      File size:5826360 bytes
      MD5 hash:d88bbe97c637fddd210e2a7eb79a9fdf

      Start time (UTC):12:17:24
      Start date (UTC):15/12/2024
      Path:/tmp/mipsel64.elf
      Arguments:-
      File size:5826360 bytes
      MD5 hash:d88bbe97c637fddd210e2a7eb79a9fdf

      Start time (UTC):12:17:25
      Start date (UTC):15/12/2024
      Path:/tmp/mipsel64.elf
      Arguments:-
      File size:5826360 bytes
      MD5 hash:d88bbe97c637fddd210e2a7eb79a9fdf

      Start time (UTC):12:17:25
      Start date (UTC):15/12/2024
      Path:/tmp/mipsel64.elf
      Arguments:-
      File size:5826360 bytes
      MD5 hash:d88bbe97c637fddd210e2a7eb79a9fdf