Edit tour

Linux Analysis Report
DemonGen-linux-amd64.elf

Overview

General Information

Sample name:	DemonGen-linux-amd64.elf
Analysis ID:	1579444
MD5:	45450780dd31f689b845cb3023e1e999
SHA1:	a5fa8ccefdaa609eb3550afcff3ae3fd661faa88
SHA256:	e0c80ee6052670e356c02ebc7e02e70f85719538fb18386cabfccbb73ac7b85e
Tags:	elfuser-abuse_ch
Infos:
Errors No process behavior to analyse as no analysis process or sample was found

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false

Signatures

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579444
Start date and time:	2024-12-22 12:01:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	DemonGen-linux-amd64.elf
Detection:	UNKNOWN
Classification:	unknown1.linELF@0/0@0/0

Errors

No process behavior to analyse as no analysis process or sample was found

Warnings

VT rate limit hit for: https://2captcha.comAccessibility.AXNodeAccessibility.enableAudits.AffectedFrameAudits.checkContrast
VT rate limit hit for: https://api.pages.cm.com/pages/v1/interactions/8589759000/39907f79-84c0-40c0-b600-33e3aff0ce56b3312f
VT rate limit hit for: https://go-rod.github.io/#/compatibility?id=os:
VT rate limit hit for: https://pages.cm.com/8589759000/39907f79-84c0-40c0-b600-33e3aff0ce56/section/0
VT rate limit hit for: https://www.aegpresents.fr/tyler-the-creator-paris-2025-preventeartiste/reflect:

Runtime Messages

Command:	/tmp/DemonGen-linux-amd64.elf
PID:	6208
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: DemonGen-linux-amd64.elf	String found in binary or memory: http://www.bohemiancoding.com/sketch
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://2captcha.comAccessibility.AXNodeAccessibility.enableAudits.AffectedFrameAudits.checkContrast
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://api.pages.cm.com/pages/v1/interactions/8589759000/39907f79-84c0-40c0-b600-33e3aff0ce56b3312f
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://go-rod.github.io/#/compatibility?id=os
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://go-rod.github.io/#/compatibility?id=os:
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://go.seated.com/event-reminders/bfea6c8c-983e-4d2c-a83f-13ec2bf84cb8/infocannot
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://golang.org/pkg/time/#ParseDuration)function(e)
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://pages.cm.com/8589759000/39907f79-84c0-40c0-b600-33e3aff0ce56/section/0
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://pages.cm.com/8589759000/39907f79-84c0-40c0-b600-33e3aff0ce56/section/ce0b0477-13ba-4b9b-a762
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://playwright.azureedge.net/builds/chromium/%d/chromium-linux-arm64.ziptls:
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://registry.npmmirror.com/-/binary/chromium-browser-snapshots/%s/%d/%stls:
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://sms-activation-service.com/stubs/handler_api?api_key=%s&action=getNumber&service=ticketmaste
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://sms-activation-service.com/stubs/handler_api?api_key=%s&action=getStatus&id=%sreflect:
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://storage.googleapis.com/chromium-browser-snapshots/%s/%d/%stls:
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://ticketmaster.com///input
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://www.aegpresents.fr/tyler-the-creator-paris-2025-preventeartiste/reflect:
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://www.icloud.com/ca.m.us.p.amm
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://www.primaverasound.com//button
Source: DemonGen-linux-amd64.elf	String found in binary or memory: https://www.primaverasound.com/Error

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: unknown1.linELF@0/0@0/0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DemonGen-linux-amd64.elf	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.primaverasound.com//button	DemonGen-linux-amd64.elf	false	high
https://go-rod.github.io/#/compatibility?id=os:	DemonGen-linux-amd64.elf	false	unknown
https://2captcha.comAccessibility.AXNodeAccessibility.enableAudits.AffectedFrameAudits.checkContrast	DemonGen-linux-amd64.elf	false	unknown
https://api.pages.cm.com/pages/v1/interactions/8589759000/39907f79-84c0-40c0-b600-33e3aff0ce56b3312f	DemonGen-linux-amd64.elf	false	unknown
https://pages.cm.com/8589759000/39907f79-84c0-40c0-b600-33e3aff0ce56/section/0	DemonGen-linux-amd64.elf	false	unknown
https://www.aegpresents.fr/tyler-the-creator-paris-2025-preventeartiste/reflect:	DemonGen-linux-amd64.elf	false	unknown
https://www.primaverasound.com/Error	DemonGen-linux-amd64.elf	false	high
http://www.bohemiancoding.com/sketch	DemonGen-linux-amd64.elf	false	high
https://go-rod.github.io/#/compatibility?id=os	DemonGen-linux-amd64.elf	false	unknown
https://ticketmaster.com///input	DemonGen-linux-amd64.elf	false	high
https://sms-activation-service.com/stubs/handler_api?api_key=%s&action=getNumber&service=ticketmaste	DemonGen-linux-amd64.elf	false	unknown
https://registry.npmmirror.com/-/binary/chromium-browser-snapshots/%s/%d/%stls:	DemonGen-linux-amd64.elf	false	high
https://sms-activation-service.com/stubs/handler_api?api_key=%s&action=getStatus&id=%sreflect:	DemonGen-linux-amd64.elf	false	unknown
https://golang.org/pkg/time/#ParseDuration)function(e)	DemonGen-linux-amd64.elf	false	high
https://go.seated.com/event-reminders/bfea6c8c-983e-4d2c-a83f-13ec2bf84cb8/infocannot	DemonGen-linux-amd64.elf	false	high
https://pages.cm.com/8589759000/39907f79-84c0-40c0-b600-33e3aff0ce56/section/ce0b0477-13ba-4b9b-a762	DemonGen-linux-amd64.elf	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	vlxx.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	vlxx.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse
91.189.91.42	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	vlxx.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	vlxx.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	vlxx.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	vlxx.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	vlxx.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	vlxx.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	vlxx.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	185.125.190.26
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	vlxx.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	vlxx.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	vlxx.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	91.189.91.42
	vlxx.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	185.125.190.26
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
INIT7CH	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	vlxx.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
	vlxx.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
	vlxx.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	109.202.202.202
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, too large section header offset 12038144
Entropy (8bit):	6.542663678615004
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78%
File name:	DemonGen-linux-amd64.elf
File size:	9'056'804 bytes
MD5:	45450780dd31f689b845cb3023e1e999
SHA1:	a5fa8ccefdaa609eb3550afcff3ae3fd661faa88
SHA256:	e0c80ee6052670e356c02ebc7e02e70f85719538fb18386cabfccbb73ac7b85e
SHA512:	0190fb84ff7d624c1c44556716bd7288e94094d4baaa8c82af7874d109249056f795db55c73c113a4df8a7f09948f91e4486c7a7a9a2bba6f1240d76a2e642e7
SSDEEP:	49152:hrGYGJthj/vhwkzLwTYgE0s9X5lzAnU1w3f+rb9yu8bUudjetgUq/fkr+GfU5EXQ:lzyhj/1AuyU14ZYmE+2w
TLSH:	61968D07ECA441A8C4FEC578CA26A2677AB13C99473423E33F58F6251F76BD0A979740
File Content Preview:	.ELF..............>.....`KG.....@.......X...........@.8...@.............@.......@.@.....@.@...............................................@.......@......C9......C9......................P9......Py......Py.......y.......y......................P.......P.....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x474b60
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	5
Section Header Offset:	344
Section Header Size:	64
Number of Section Headers:	13
Header String Table Index:	12

Sections

Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
NULL	0x0	0x0	0x0	0x0	0x0		0
PROGBITS	0x401000	0x1000	0x3933a6	0x0	0x6	AX	32
PROGBITS	0x795000	0x395000	0x47fb84	0x0	0x2	A	32
PROGBITS	0xc14ba0	0x814ba0	0x3e00	0x0	0x2	A	32
PROGBITS	0xc189a0	0x8189a0	0xd28	0x0	0x2	A	32
PROGBITS	0xc196c8	0x8196c8	0x0	0x0	0x2	A	1
PROGBITS	0xc196e0	0x8196e0	0x31afd8	0x0	0x2	A	32
PROGBITS	0xf35000	0xb35000	0x30	0x0	0x3	WA	16
PROGBITS	0xf35040	0xb35040	0x31d02	0x0	0x3	WA	32
PROGBITS	0xf66d60	0xb66d60	0x13870	0x0	0x3	WA	32
NOBITS	0xf7a5e0	0xb7a5e0	0x22a40	0x0	0x3	WA	32
NOBITS	0xf9d020	0xb9d020	0x6b20	0x0	0x3	WA	32
STRTAB	0x0	0xb7b000	0x87	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
PHDR	0x40	0x400040	0x400040	0x118	0x118	1.6373	0x4	R	0x1000
LOAD	0x0	0x400000	0x400000	0x3943a6	0x3943a6	6.1823	0x5	R E	0x1000
LOAD	0x395000	0x795000	0x795000	0x79f6b8	0x79f6b8	6.1447	0x4	R	0x1000
LOAD	0xb35000	0xf35000	0xf35000	0x455e0	0x6eb40	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 22, 2024 12:01:54.531258106 CET	42836	443	192.168.2.23	91.189.91.43
Dec 22, 2024 12:01:55.299170971 CET	42516	80	192.168.2.23	109.202.202.202
Dec 22, 2024 12:02:09.377356052 CET	43928	443	192.168.2.23	91.189.91.42
Dec 22, 2024 12:02:21.663635015 CET	42836	443	192.168.2.23	91.189.91.43
Dec 22, 2024 12:02:25.758936882 CET	42516	80	192.168.2.23	109.202.202.202
Dec 22, 2024 12:02:50.331866980 CET	43928	443	192.168.2.23	91.189.91.42

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report DemonGen-linux-amd64.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Errors

Warnings

Runtime Messages

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Linux Analysis Report
DemonGen-linux-amd64.elf