Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
sparc.elf

Overview

General Information

Sample name:sparc.elf
Analysis ID:1575427
MD5:f34a8e0f7516187c9abcbc7c46626eb0
SHA1:fc3cabdb9b129bbc6efdc2b516e35ee19d4a2902
SHA256:2f3d65e0e55d1973ef61bb8ae6594cb438eb2191e88e48398f2b8aa6b68965f7
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1575427
Start date and time:2024-12-15 14:58:54 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 54s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:sparc.elf
Detection:MAL
Classification:mal60.spyw.evad.linELF@0/0@1/0
Command:/tmp/sparc.elf
PID:5839
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Firmware update in progress
Standard Error:
  • system is lnxubuntu20
  • sparc.elf (PID: 5839, Parent: 5764, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/sparc.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: sparc.elfVirustotal: Detection: 17%Perma Link
Source: sparc.elfReversingLabs: Detection: 13%

Networking

barindex
Source: /tmp/sparc.elf (PID: 5841)Opens: /sys/class/net/Jump to behavior
Source: /tmp/sparc.elf (PID: 5841)Opens: /sys/class/net/ens160/addressJump to behavior
Source: /tmp/sparc.elf (PID: 5841)Opens: /sys/class/net/ens160/flagsJump to behavior
Source: /tmp/sparc.elf (PID: 5841)Opens: /sys/class/net/ens160/carrierJump to behavior
Source: global trafficTCP traffic: 192.168.2.15:57334 -> 86.104.72.130:3724
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownTCP traffic detected without corresponding DNS query: 86.104.72.130
Source: unknownUDP traffic detected without corresponding DNS query: 172.217.192.127
Source: unknownUDP traffic detected without corresponding DNS query: 194.36.144.87
Source: global trafficDNS traffic detected: DNS query: iranistrash.libre
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal60.spyw.evad.linELF@0/0@1/0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/sparc.elf (PID: 5839)File: /tmp/sparc.elfJump to behavior
Source: /tmp/sparc.elf (PID: 5839)Queries kernel information via 'uname': Jump to behavior
Source: /tmp/sparc.elf (PID: 5841)Queries kernel information via 'uname': Jump to behavior
Source: sparc.elf, 5839.1.00005639d9a27000.00005639d9a8c000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sparc
Source: sparc.elf, 5839.1.00005639d9a27000.00005639d9a8c000.rw-.sdmpBinary or memory string: 9V!/etc/qemu-binfmt/sparc
Source: sparc.elf, 5839.1.00007ffd48d1d000.00007ffd48d3e000.rw-.sdmpBinary or memory string: s5x86_64/usr/bin/qemu-sparc/tmp/sparc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sparc.elf
Source: sparc.elf, 5839.1.00007ffd48d1d000.00007ffd48d3e000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sparc

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: iranistrash.libre
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
SourceDetectionScannerLabelLink
sparc.elf17%VirustotalBrowse
sparc.elf13%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
iranistrash.libre
unknown
unknownfalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    172.217.192.127
    unknownUnited States
    15169GOOGLEUSfalse
    86.104.72.130
    unknownRomania
    50636TELE-ROM-ASstrAleeaPaciiBlB5Ap16ROfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    86.104.72.130sh4.elfGet hashmaliciousUnknownBrowse
      mipsel64.elfGet hashmaliciousUnknownBrowse
        mips.elfGet hashmaliciousUnknownBrowse
          sparc.elfGet hashmaliciousUnknownBrowse
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            TELE-ROM-ASstrAleeaPaciiBlB5Ap16ROsh4.elfGet hashmaliciousUnknownBrowse
            • 86.104.72.130
            mipsel64.elfGet hashmaliciousUnknownBrowse
            • 86.104.72.130
            mips.elfGet hashmaliciousUnknownBrowse
            • 86.104.72.130
            sparc.elfGet hashmaliciousUnknownBrowse
            • 86.104.72.130
            RHxJqGoGFB.exeGet hashmaliciousSalityBrowse
            • 86.104.74.51
            uniswap-sniper-bot-with-gui Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
            • 86.104.74.51
            uniswap-sniper-bot-with-gui Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
            • 86.104.74.51
            na.htaGet hashmaliciousMetasploitBrowse
            • 86.104.74.31
            g4nWvGoRNZ.exeGet hashmaliciousRemcosBrowse
            • 86.104.72.183
            5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeGet hashmaliciousRemcosBrowse
            • 86.104.72.183
            No context
            No context
            No created / dropped files found
            File type:ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
            Entropy (8bit):6.06808526708284
            TrID:
            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
            File name:sparc.elf
            File size:84'252 bytes
            MD5:f34a8e0f7516187c9abcbc7c46626eb0
            SHA1:fc3cabdb9b129bbc6efdc2b516e35ee19d4a2902
            SHA256:2f3d65e0e55d1973ef61bb8ae6594cb438eb2191e88e48398f2b8aa6b68965f7
            SHA512:9c2569ab7619660536df7c900c91accd41cb15e601450bcd7825c480f12927dc94281230ce45411ee7e366ecb2b7ddf39008d06534f6ba159bf0ac1edfd4ac0e
            SSDEEP:1536:/xBWg4Eg96oyakoM2bnTnPv68MEQrxA1VwWutloRG:/pq96KkEbrXB/9u4RG
            TLSH:FA835B21AA761E2BC1C0B57921F7436AF2F257491868CA1F7D620E9EFF2556032137BC
            File Content Preview:.ELF...........................4..G<.....4. ...(......................D ..D ..............D ..D ..D ......:.........dt.Q................................@..(....@.N.................#.....b...`.....!.....!...@.....".........`......$!...!...@...........`....

            ELF header

            Class:ELF32
            Data:2's complement, big endian
            Version:1 (current)
            Machine:Sparc
            Version Number:0x1
            Type:EXEC (Executable file)
            OS/ABI:UNIX - System V
            ABI Version:0
            Entry Point Address:0x101a4
            Flags:0x0
            ELF Header Size:52
            Program Header Offset:52
            Program Header Size:32
            Number of Program Headers:3
            Section Header Offset:83772
            Section Header Size:40
            Number of Section Headers:12
            Header String Table Index:11
            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
            NULL0x00x00x00x00x0000
            .initPROGBITS0x100940x940x1c0x00x6AX004
            .textPROGBITS0x100b00xb00x13b100x00x6AX004
            .finiPROGBITS0x23bc00x13bc00x140x00x6AX004
            .rodataPROGBITS0x23bd80x13bd80x8480x00x2A008
            .eh_framePROGBITS0x344200x144200x40x00x3WA004
            .ctorsPROGBITS0x344240x144240x80x00x3WA004
            .dtorsPROGBITS0x3442c0x1442c0x80x00x3WA004
            .gotPROGBITS0x344380x144380xd40x40x3WA004
            .dataPROGBITS0x345100x145100x1dc0x00x3WA008
            .bssNOBITS0x346f00x146ec0x37300x00x3WA008
            .shstrtabSTRTAB0x00x146ec0x4d0x00x0001
            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
            LOAD0x00x100000x100000x144200x144206.08800x5R E0x10000.init .text .fini .rodata
            LOAD0x144200x344200x344200x2cc0x3a003.02470x6RW 0x10000.eh_frame .ctors .dtors .got .data .bss
            GNU_STACK0x00x00x00x00x00.00000x6RW 0x4
            TimestampSource PortDest PortSource IPDest IP
            Dec 15, 2024 15:00:12.843064070 CET573343724192.168.2.1586.104.72.130
            Dec 15, 2024 15:00:12.962928057 CET37245733486.104.72.130192.168.2.15
            Dec 15, 2024 15:00:12.963119984 CET573343724192.168.2.1586.104.72.130
            Dec 15, 2024 15:00:12.963792086 CET573343724192.168.2.1586.104.72.130
            Dec 15, 2024 15:00:13.083911896 CET37245733486.104.72.130192.168.2.15
            Dec 15, 2024 15:00:14.053087950 CET37245733486.104.72.130192.168.2.15
            Dec 15, 2024 15:00:14.053328037 CET573343724192.168.2.1586.104.72.130
            Dec 15, 2024 15:01:44.132062912 CET573343724192.168.2.1586.104.72.130
            Dec 15, 2024 15:01:44.252193928 CET37245733486.104.72.130192.168.2.15
            TimestampSource PortDest PortSource IPDest IP
            Dec 15, 2024 15:00:11.371671915 CET642913478192.168.2.15172.217.192.127
            Dec 15, 2024 15:00:12.580975056 CET347864291172.217.192.127192.168.2.15
            Dec 15, 2024 15:00:12.596668005 CET4370753192.168.2.15194.36.144.87
            Dec 15, 2024 15:00:12.841053009 CET5343707194.36.144.87192.168.2.15
            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Dec 15, 2024 15:00:12.596668005 CET192.168.2.15194.36.144.870x56abStandard query (0)iranistrash.libre16IN (0x0001)false
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Dec 15, 2024 15:00:12.841053009 CET194.36.144.87192.168.2.150x56abNo error (0)iranistrash.libreTXT (Text strings)IN (0x0001)false

            System Behavior

            Start time (UTC):14:00:08
            Start date (UTC):15/12/2024
            Path:/tmp/sparc.elf
            Arguments:/tmp/sparc.elf
            File size:4379400 bytes
            MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

            Start time (UTC):14:00:10
            Start date (UTC):15/12/2024
            Path:/tmp/sparc.elf
            Arguments:-
            File size:4379400 bytes
            MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

            Start time (UTC):14:00:11
            Start date (UTC):15/12/2024
            Path:/tmp/sparc.elf
            Arguments:-
            File size:4379400 bytes
            MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e