Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
arm6.elf

Overview

General Information

Sample name:arm6.elf
Analysis ID:1579195
MD5:130a8264de73015b699abb4a46dfe83e
SHA1:ef8e8ea1999b3dcc3e960e2ebc4f285da2424f0d
SHA256:da3552ddc7654e4e3960e536c209aad4a91f2352a9686b9bed4fbdc3c6f079ce
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:56
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1579195
Start date and time:2024-12-21 04:01:10 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 19s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm6.elf
Detection:MAL
Classification:mal56.troj.linELF@0/0@2/0

Runtime Messages

Command:/tmp/arm6.elf
PID:5487
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • arm6.elf (PID: 5487, Parent: 5412, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm6.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
arm6.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    5487.1.00007faaf4017000.00007faaf402a000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: arm6.elfReversingLabs: Detection: 26%
      Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: classification engineClassification label: mal56.troj.linELF@0/0@2/0
      Source: /tmp/arm6.elf (PID: 5487)Queries kernel information via 'uname': Jump to behavior
      Source: arm6.elf, 5487.1.0000558bc8e4b000.0000558bc8f79000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
      Source: arm6.elf, 5487.1.0000558bc8e4b000.0000558bc8f79000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
      Source: arm6.elf, 5487.1.00007ffd01f61000.00007ffd01f82000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
      Source: arm6.elf, 5487.1.00007ffd01f61000.00007ffd01f82000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm6.elf
      Source: arm6.elf, 5487.1.00007ffd01f61000.00007ffd01f82000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

      Stealing of Sensitive Information

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: arm6.elf, type: SAMPLE
      Source: Yara matchFile source: 5487.1.00007faaf4017000.00007faaf402a000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: arm6.elf, type: SAMPLE
      Source: Yara matchFile source: 5487.1.00007faaf4017000.00007faaf402a000.r-x.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Non-Application Layer Protocol      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service

      Malware Configuration

      No configs have been found

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      arm6.elf26%ReversingLabsLinux.Backdoor.Mirai

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      daisy.ubuntu.com
      		162.213.35.24
      		truefalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        daisy.ubuntu.comboatnet.ppc.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.25
        boatnet.arm7.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24
        boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24
        boatnet.sh4.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.25
        boatnet.x86.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.25
        boatnet.i486.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24
        boatnet.arm6.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24
        boatnet.spc.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.25
        la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
        • 162.213.35.24

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
        Entropy (8bit):6.116624799532316
        TrID:
        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
        File name:arm6.elf
        File size:79'196 bytes
        MD5:130a8264de73015b699abb4a46dfe83e
        SHA1:ef8e8ea1999b3dcc3e960e2ebc4f285da2424f0d
        SHA256:da3552ddc7654e4e3960e536c209aad4a91f2352a9686b9bed4fbdc3c6f079ce
        SHA512:8cc31e3c0b20f662c32f2c49b012021263e94fdb3b961826d732b7c889457670018fa381d19aebec9bba4ef1edebcf466893c55c9f2267dae9d7fd722a9b880a
        SSDEEP:1536:kAndJBFoH/jjrsy6wDwYSKaWAk1QTMKiqNMuCtR7uW50YGnv6:r0/vrsxwMYSKaWyNMuCtRiWCdnv
        TLSH:2473195AB9819F21D5D102BEFE1E128E7323177CE3DE72129E106B24778B56B0E3B905
        File Content Preview:.ELF..............(.....T...4...|3......4. ...(.....................d/..d/...............0...0...0......X...........Q.td..................................-...L..................@-.,@...0....S..... 0....S.........../..0...0...@..../..3.......0....-.@0....S

        Static ELF Info

        ELF header

        Class:ELF32
        Data:2's complement, little endian
        Version:1 (current)
        Machine:ARM
        Version Number:0x1
        Type:EXEC (Executable file)
        OS/ABI:UNIX - System V
        ABI Version:0
        Entry Point Address:0x8154
        Flags:0x4000002
        ELF Header Size:52
        Program Header Offset:52
        Program Header Size:32
        Number of Program Headers:3
        Section Header Offset:78716
        Section Header Size:40
        Number of Section Headers:12
        Header String Table Index:11

        Sections

        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
        NULL0x00x00x00x00x0000
        .initPROGBITS0x80940x940x100x00x6AX004
        .textPROGBITS0x80b00xb00x117e40x00x6AX0016
        .finiPROGBITS0x198940x118940x100x00x6AX004
        .rodataPROGBITS0x198a80x118a80x16bc0x00x2A008
        .init_arrayINIT_ARRAY0x230040x130080x40x00x3WA004
        .fini_arrayFINI_ARRAY0x230080x1300c0x40x00x3WA004
        .gotPROGBITS0x230100x130140x740x40x3WA004
        .dataPROGBITS0x230840x130880x2840x00x3WA004
        .bssNOBITS0x233080x1330c0x54540x00x3WA004
        .ARM.attributesARM_ATTRIBUTES0x00x1330c0x100x00x0001
        .shstrtabSTRTAB0x00x1331c0x5d0x00x0001

        Program Segments

        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x80000x80000x12f640x12f646.14420x5R E0x8000.init .text .fini .rodata
        LOAD0x130040x230040x230000x3080xd7583.87190x6RW 0x8000.init_array .fini_array .got .data .bss
        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

        Network Behavior

        Network Port Distribution

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Dec 21, 2024 04:01:52.855549097 CET5925353192.168.2.148.8.8.8
        Dec 21, 2024 04:01:52.855603933 CET5843953192.168.2.148.8.8.8
        Dec 21, 2024 04:01:52.977921963 CET53584398.8.8.8192.168.2.14
        Dec 21, 2024 04:01:52.977940083 CET53592538.8.8.8192.168.2.14

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Dec 21, 2024 04:01:52.855549097 CET192.168.2.148.8.8.80x8165Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
        Dec 21, 2024 04:01:52.855603933 CET192.168.2.148.8.8.80x8977Standard query (0)daisy.ubuntu.com28IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Dec 21, 2024 04:01:52.977940083 CET8.8.8.8192.168.2.140x8165No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
        Dec 21, 2024 04:01:52.977940083 CET8.8.8.8192.168.2.140x8165No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

        System Behavior

        General

        Start time (UTC):03:01:50
        Start date (UTC):21/12/2024
        Path:/tmp/arm6.elf
        Arguments:/tmp/arm6.elf
        File size:4956856 bytes
        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

        Chronological Activities