Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
mips.elf

Overview

General Information

Sample name:mips.elf
Analysis ID:1575430
MD5:4d05554923fed09d195adbf685d6e83c
SHA1:a0ad981063901d31ffe076f4a4a1ae40988ded9a
SHA256:cb1c2397a2408979b855b6269b0e545e137d54096ed46ff0ca6b0d91e24bbf52
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1575430
Start date and time:2024-12-15 14:59:02 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 58s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:mips.elf
Detection:MAL
Classification:mal60.spyw.evad.linELF@0/0@3/0
Command:/tmp/mips.elf
PID:5503
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Firmware update in progress
Standard Error:
  • system is lnxubuntu20
  • mips.elf (PID: 5503, Parent: 5426, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/mips.elf
    • mips.elf New Fork (PID: 5507, Parent: 5503)
      • mips.elf New Fork (PID: 5509, Parent: 5507)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: mips.elfVirustotal: Detection: 15%Perma Link

Networking

barindex
Source: /tmp/mips.elf (PID: 5507)Opens: /sys/class/net/Jump to behavior
Source: /tmp/mips.elf (PID: 5507)Opens: /sys/class/net/lo/addressJump to behavior
Source: /tmp/mips.elf (PID: 5507)Opens: /sys/class/net/ens160/addressJump to behavior
Source: /tmp/mips.elf (PID: 5507)Opens: /sys/class/net/ens160/flagsJump to behavior
Source: /tmp/mips.elf (PID: 5507)Opens: /sys/class/net/ens160/carrierJump to behavior
Source: global trafficTCP traffic: 192.168.2.13:51670 -> 103.35.190.176:3478
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownUDP traffic detected without corresponding DNS query: 172.217.192.127
Source: unknownUDP traffic detected without corresponding DNS query: 217.160.70.42
Source: global trafficDNS traffic detected: DNS query: iranistrash.libre
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal60.spyw.evad.linELF@0/0@3/0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/mips.elf (PID: 5503)File: /tmp/mips.elfJump to behavior
Source: /tmp/mips.elf (PID: 5503)Queries kernel information via 'uname': Jump to behavior
Source: /tmp/mips.elf (PID: 5507)Queries kernel information via 'uname': Jump to behavior
Source: mips.elf, 5503.1.000055e21291f000.000055e2129a6000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
Source: mips.elf, 5503.1.000055e21291f000.000055e2129a6000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: mips.elf, 5503.1.00007ffdb5c82000.00007ffdb5ca3000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: mips.elf, 5503.1.00007ffdb5c82000.00007ffdb5ca3000.rw-.sdmpBinary or memory string: Jx86_64/usr/bin/qemu-mips/tmp/mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips.elf

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: iranistrash.libre
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575430 Sample: mips.elf Startdate: 15/12/2024 Architecture: LINUX Score: 60 16 iranistrash.libre 2->16 18 103.35.190.176, 3478, 51670 VECTANTARTERIANetworksCorporationJP Japan 2->18 20 2 other IPs or domains 2->20 22 Multi AV Scanner detection for submitted file 2->22 8 mips.elf 2->8         started        signatures3 24 Performs DNS TXT record lookups 16->24 process4 signatures5 26 Sample deletes itself 8->26 11 mips.elf 8->11         started        process6 signatures7 28 Opens /sys/class/net/* files useful for querying network interface information 11->28 14 mips.elf 11->14         started        process8
SourceDetectionScannerLabelLink
mips.elf16%VirustotalBrowse
mips.elf8%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    high
    iranistrash.libre
    unknown
    unknownfalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      103.35.190.176
      unknownJapan2519VECTANTARTERIANetworksCorporationJPfalse
      172.217.192.127
      unknownUnited States
      15169GOOGLEUSfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      103.35.190.176mipsel.elfGet hashmaliciousUnknownBrowse
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        daisy.ubuntu.comarmv6l.elfGet hashmaliciousUnknownBrowse
        • 162.213.35.25
        armv5l.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24
        armv7l.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24
        superh.elfGet hashmaliciousUnknownBrowse
        • 162.213.35.25
        mips.elfGet hashmaliciousUnknownBrowse
        • 162.213.35.25
        armv6l.elfGet hashmaliciousUnknownBrowse
        • 162.213.35.24
        armv6l.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24
        i686.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24
        IGz.arm6.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        VECTANTARTERIANetworksCorporationJParmv5l.elfGet hashmaliciousMiraiBrowse
        • 133.149.215.37
        mipsel.elfGet hashmaliciousUnknownBrowse
        • 103.35.190.176
        armv6l.elfGet hashmaliciousMiraiBrowse
        • 122.222.53.192
        armv7l.elfGet hashmaliciousMiraiBrowse
        • 36.2.2.159
        armv6l.elfGet hashmaliciousUnknownBrowse
        • 115.179.195.14
        IGz.arm7.elfGet hashmaliciousMiraiBrowse
        • 122.222.149.128
        loligang.arm.elfGet hashmaliciousMiraiBrowse
        • 220.158.63.63
        2.elfGet hashmaliciousUnknownBrowse
        • 157.250.108.34
        mpsl.elfGet hashmaliciousMirai, MoobotBrowse
        • 157.14.224.60
        rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
        • 122.222.149.142
        No context
        No context
        No created / dropped files found
        File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
        Entropy (8bit):5.477762632545398
        TrID:
        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
        File name:mips.elf
        File size:88'192 bytes
        MD5:4d05554923fed09d195adbf685d6e83c
        SHA1:a0ad981063901d31ffe076f4a4a1ae40988ded9a
        SHA256:cb1c2397a2408979b855b6269b0e545e137d54096ed46ff0ca6b0d91e24bbf52
        SHA512:8f418037c2de20c499c384fbd50c890c9f86d0de7a44fc2f2c1e491e2a0b91007d0cf5649eaccb6e0c9983ac250012d3c83200d79216b344ad9ce719cd1a8a86
        SSDEEP:1536:yd7kZpsnp5JMhUnK7gi4oPtdecrpDUjavf5yap7Oahght2aTnNDxRJtwK:6ltmt7gi4oPLeK5yaJPhktpjRIK
        TLSH:5A83C61E6E158FACF7A9C63107B79E21974D37C727E1CA41E16CEA001E7024E685FB68
        File Content Preview:.ELF.....................@.`...4..V......4. ...(.............@...@....O@..O@..............P..EP..EP....T............dt.Q............................<...'..<...!'.......................<...'......!... ....'9... ......................<...'......!........'9F

        ELF header

        Class:ELF32
        Data:2's complement, big endian
        Version:1 (current)
        Machine:MIPS R3000
        Version Number:0x1
        Type:EXEC (Executable file)
        OS/ABI:UNIX - System V
        ABI Version:0
        Entry Point Address:0x400260
        Flags:0x1007
        ELF Header Size:52
        Program Header Offset:52
        Program Header Size:32
        Number of Program Headers:3
        Section Header Offset:87712
        Section Header Size:40
        Number of Section Headers:12
        Header String Table Index:11
        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
        NULL0x00x00x00x00x0000
        .initPROGBITS0x4000940x940x8c0x00x6AX004
        .textPROGBITS0x4001200x1200x145e00x00x6AX0016
        .finiPROGBITS0x4147000x147000x5c0x00x6AX004
        .rodataPROGBITS0x4147600x147600x7e00x00x2A0016
        .ctorsPROGBITS0x4550000x150000x80x00x3WA004
        .dtorsPROGBITS0x4550080x150080x80x00x3WA004
        .dataPROGBITS0x4550200x150200x1b80x00x3WA0016
        .gotPROGBITS0x4551e00x151e00x4740x40x10000003WAp0016
        .sbssNOBITS0x4556540x156540x80x00x10000003WAp004
        .bssNOBITS0x4556600x156540x14940x00x3WA0016
        .shstrtabSTRTAB0x00x156540x490x00x0001
        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x4000000x4000000x14f400x14f405.50420x5R E0x10000.init .text .fini .rodata
        LOAD0x150000x4550000x4550000x6540x1af43.59940x6RW 0x10000.ctors .dtors .data .got .sbss .bss
        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
        TimestampSource PortDest PortSource IPDest IP
        Dec 15, 2024 15:00:21.778131962 CET516703478192.168.2.13103.35.190.176
        Dec 15, 2024 15:00:21.898463964 CET347851670103.35.190.176192.168.2.13
        Dec 15, 2024 15:00:21.898536921 CET516703478192.168.2.13103.35.190.176
        Dec 15, 2024 15:00:21.898943901 CET516703478192.168.2.13103.35.190.176
        Dec 15, 2024 15:00:22.020854950 CET347851670103.35.190.176192.168.2.13
        Dec 15, 2024 15:00:22.272349119 CET3480253192.168.2.138.8.8.8
        Dec 15, 2024 15:00:22.392704010 CET53348028.8.8.8192.168.2.13
        Dec 15, 2024 15:00:22.392796040 CET3480253192.168.2.138.8.8.8
        Dec 15, 2024 15:00:22.392870903 CET3480253192.168.2.138.8.8.8
        Dec 15, 2024 15:00:22.392910957 CET3480253192.168.2.138.8.8.8
        Dec 15, 2024 15:00:22.514842987 CET53348028.8.8.8192.168.2.13
        Dec 15, 2024 15:00:22.514889956 CET53348028.8.8.8192.168.2.13
        Dec 15, 2024 15:00:22.990132093 CET347851670103.35.190.176192.168.2.13
        Dec 15, 2024 15:00:22.991090059 CET516703478192.168.2.13103.35.190.176
        Dec 15, 2024 15:00:23.480454922 CET53348028.8.8.8192.168.2.13
        Dec 15, 2024 15:00:23.480956078 CET3480253192.168.2.138.8.8.8
        Dec 15, 2024 15:00:25.480240107 CET53348028.8.8.8192.168.2.13
        Dec 15, 2024 15:00:25.480706930 CET3480253192.168.2.138.8.8.8
        Dec 15, 2024 15:00:25.600711107 CET53348028.8.8.8192.168.2.13
        Dec 15, 2024 15:01:53.071274042 CET516703478192.168.2.13103.35.190.176
        Dec 15, 2024 15:01:53.191272974 CET347851670103.35.190.176192.168.2.13
        Dec 15, 2024 15:01:53.397777081 CET347851670103.35.190.176192.168.2.13
        Dec 15, 2024 15:01:53.398066998 CET516703478192.168.2.13103.35.190.176
        TimestampSource PortDest PortSource IPDest IP
        Dec 15, 2024 15:00:20.294284105 CET203333478192.168.2.13172.217.192.127
        Dec 15, 2024 15:00:21.495294094 CET347820333172.217.192.127192.168.2.13
        Dec 15, 2024 15:00:21.530215025 CET5089453192.168.2.13217.160.70.42
        Dec 15, 2024 15:00:21.776577950 CET5350894217.160.70.42192.168.2.13
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Dec 15, 2024 15:00:21.530215025 CET192.168.2.13217.160.70.420xacd9Standard query (0)iranistrash.libre16IN (0x0001)false
        Dec 15, 2024 15:00:22.392870903 CET192.168.2.138.8.8.80xbb15Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
        Dec 15, 2024 15:00:22.392910957 CET192.168.2.138.8.8.80x8bb5Standard query (0)daisy.ubuntu.com28IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Dec 15, 2024 15:00:21.776577950 CET217.160.70.42192.168.2.130xacd9No error (0)iranistrash.libreTXT (Text strings)IN (0x0001)false
        Dec 15, 2024 15:00:23.480454922 CET8.8.8.8192.168.2.130xbb15No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
        Dec 15, 2024 15:00:23.480454922 CET8.8.8.8192.168.2.130xbb15No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

        System Behavior

        Start time (UTC):14:00:17
        Start date (UTC):15/12/2024
        Path:/tmp/mips.elf
        Arguments:/tmp/mips.elf
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

        Start time (UTC):14:00:19
        Start date (UTC):15/12/2024
        Path:/tmp/mips.elf
        Arguments:-
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

        Start time (UTC):14:00:20
        Start date (UTC):15/12/2024
        Path:/tmp/mips.elf
        Arguments:-
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c