Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
armv4eb.elf

Overview

General Information

Sample name:armv4eb.elf
Analysis ID:1580158
MD5:b7a09458cbd2c147794c717ab13fa7bc
SHA1:b03c494f6ec7f1226066bcb544c5fd9a679fd4c6
SHA256:7a5e56517ce37bdb71b2b75cf9e2210e8c76f7f3494f797f5179ec183cc0a6a5
Tags:elfuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Sample deletes itself
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1580158
Start date and time:2024-12-24 03:21:04 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 36s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:armv4eb.elf
Detection:MAL
Classification:mal64.spyw.evad.linELF@0/0@0/0
Command:/tmp/armv4eb.elf
PID:6221
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • armv4eb.elf (PID: 6221, Parent: 6140, MD5: 6ef685c2c206c9caa9a952987789a1a5) Arguments: /tmp/armv4eb.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: armv4eb.elfAvira: detected
Source: armv4eb.elfReversingLabs: Detection: 44%

Networking

barindex
Source: /tmp/armv4eb.elf (PID: 6221)Opens: /sys/class/net/Jump to behavior
Source: /tmp/armv4eb.elf (PID: 6221)Opens: /sys/class/net/ens160/addressJump to behavior
Source: /tmp/armv4eb.elf (PID: 6221)Opens: /sys/class/net/ens160/flagsJump to behavior
Source: /tmp/armv4eb.elf (PID: 6221)Opens: /sys/class/net/ens160/carrierJump to behavior
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -en '
Source: Initial sampleString containing 'busybox' found: .d && /bin/busybox echo -e '\x46\x49\x4e'
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '
Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .d; ./.d > .b; /bin/busybox chmod 777 .b; ./.b matrix
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -en ''>.d && /bin/busybox echo -e '\x46\x49\x4e'
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '\c'>>/bin/busybox chmod 777 .d; ./.d > .b; /bin/busybox chmod 777 .b; ./.b matrix
Source: Initial sampleString containing 'busybox' found: rm -rf .d; rm -rf .b; >.d; (chmod 777 .d || /bin/busybox chmod 777 .d || cp /bin/sh .d; >.d); >.b; (chmod 777 .b || /bin/busybox chmod 777 .b || cp /bin/sh .b; >.b)
Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /proc/self/exe || cat /bin/echo
Source: Initial sampleString containing 'busybox' found: /bin/busybox wget --help; /bin/busybox ftpget --help; /bin/busybox echo -e '\x67\x61\x79\x66\x67\x74';
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -e '\x53\x54\x41\x52\x54'; cat /proc/cpuinfo; /bin/busybox echo -e '\x45\x4e\x44'
Source: Initial sampleString containing 'busybox' found: BusyBox on \S+ \wogin
Source: Initial sampleString containing 'busybox' found: ELFsage: wgetsage: ftpgetgayfgt/bin/busybox echo -e '\x53\x54\x41\x52\x54'; cat /proc/cpuinfo; /bin/busybox echo -e '\x45\x4e\x44'
Source: Initial sampleString containing 'busybox' found: /usr//mnt//var/run//dev/shm//etc//var//tmp//dev//var/home/user/fw/admin1231234666666ubnt888888klv12340000111111111111123451234561234567890admin12601hx4321543216543217ujMko0admin88888888a1sev5y7c39kAdminadmin123AdmiN*123admin1234adminHWadminpassBrAhMoS@15CalVxePV1! cat1029CenturyL1nkchzhdplconexantCTLsupport12cxx4dm1n5591epicrouterGeNeXiS@19gponAdminGPONALC#FGUgw1adminh@32LuyDho4uku6atadministratorAdministratorsupervisormeinsmmicrobusinessnology*/P@55w0rd!passpasswordplumeria0077QwestM0demripcode!roots2@We3%Dc#smcadminstdONU101systemtechTeleCom_1234telnetv2mprtve0RbANGXpon@Olt9417##xTaaA8jzhoneadtecadtecftpbinCMCCAdmine8telnetCUAdmindaemondefaulttluafedvhd1206e8ehome1e8ehomee8ehomeasbhi3518EpuseruserEpfliruser3vligftpvideoguestguest123!!Huawei@HuaweiHgwkeomeolnadminlnadmin0123456mg3500merlinmothernobodyontONTUSERSUGAR2A041rapportr@p8p0r+remotessh5SaP9I26!@#$qwer00000000000000000000059AnkJ070admin11001chin11111111234qwer1.oN%cpi2010vesta2011vesta207B16th23we98oi258025804uvdzKqBkj.jg5up/*6.=_ja7ujMko0vizxvadminp
Source: Initial sampleString containing potential weak password found: admin
Source: Initial sampleString containing potential weak password found: 12345
Source: Initial sampleString containing potential weak password found: 123456
Source: Initial sampleString containing potential weak password found: 54321
Source: Initial sampleString containing potential weak password found: 654321
Source: Initial sampleString containing potential weak password found: admin1234
Source: Initial sampleString containing potential weak password found: administrator
Source: Initial sampleString containing potential weak password found: supervisor
Source: Initial sampleString containing potential weak password found: password
Source: Initial sampleString containing potential weak password found: default
Source: Initial sampleString containing potential weak password found: guest
Source: Initial sampleString containing potential weak password found: service
Source: Initial sampleString containing potential weak password found: support
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal64.spyw.evad.linELF@0/0@0/0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/armv4eb.elf (PID: 6221)File: /tmp/armv4eb.elfJump to behavior
Source: /tmp/armv4eb.elf (PID: 6221)Queries kernel information via 'uname': Jump to behavior
Source: armv4eb.elf, 6221.1.000055ce43fab000.000055ce440f9000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/armeb
Source: armv4eb.elf, 6221.1.00007ffcc7437000.00007ffcc7458000.rw-.sdmpBinary or memory string: /usr/bin/qemu-armeb
Source: armv4eb.elf, 6221.1.00007ffcc7437000.00007ffcc7458000.rw-.sdmpBinary or memory string: ox86_64/usr/bin/qemu-armeb/tmp/armv4eb.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/armv4eb.elf
Source: armv4eb.elf, 6221.1.000055ce43fab000.000055ce440f9000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/armeb
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
1
Brute Force
11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
SourceDetectionScannerLabelLink
armv4eb.elf45%ReversingLabsLinux.Backdoor.Gafgyt
armv4eb.elf100%AviraEXP/ELF.Mirai.D
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43x86_32.nn.elfGet hashmaliciousOkiruBrowse
    tftp.elfGet hashmaliciousUnknownBrowse
      bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
        mipsel.nn.elfGet hashmaliciousOkiruBrowse
          powerpc.nn.elfGet hashmaliciousOkiruBrowse
            arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
              arm5.nn.elfGet hashmaliciousOkiruBrowse
                powerpc.nn.elfGet hashmaliciousOkiruBrowse
                  x86_64.nn.elfGet hashmaliciousOkiruBrowse
                    mipsel.nn.elfGet hashmaliciousOkiruBrowse
                      91.189.91.42x86_32.nn.elfGet hashmaliciousOkiruBrowse
                        tftp.elfGet hashmaliciousUnknownBrowse
                          arm5.nn-20241224-0050.elfGet hashmaliciousOkiruBrowse
                            bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                              mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                powerpc.nn.elfGet hashmaliciousOkiruBrowse
                                  arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    arm5.nn.elfGet hashmaliciousOkiruBrowse
                                      powerpc.nn.elfGet hashmaliciousOkiruBrowse
                                        x86_64.nn.elfGet hashmaliciousOkiruBrowse
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGBx86_32.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          tftp.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          arm5.nn-20241224-0050.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                          • 91.189.91.42
                                          mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          powerpc.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 91.189.91.42
                                          bot.arm.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                          • 185.125.190.26
                                          sh4.nn.elfGet hashmaliciousOkiruBrowse
                                          • 185.125.190.26
                                          arm5.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBx86_32.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          tftp.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          arm5.nn-20241224-0050.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                          • 91.189.91.42
                                          mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          powerpc.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 91.189.91.42
                                          bot.arm.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                          • 185.125.190.26
                                          sh4.nn.elfGet hashmaliciousOkiruBrowse
                                          • 185.125.190.26
                                          arm5.nn.elfGet hashmaliciousOkiruBrowse
                                          • 91.189.91.42
                                          INIT7CHx86_32.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          tftp.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          arm5.nn-20241224-0050.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                          • 109.202.202.202
                                          mipsel.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          powerpc.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 109.202.202.202
                                          arm5.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          powerpc.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          x86_64.nn.elfGet hashmaliciousOkiruBrowse
                                          • 109.202.202.202
                                          No context
                                          No context
                                          No created / dropped files found
                                          File type:ELF 32-bit MSB executable, ARM, version 1 (ARM), statically linked, stripped
                                          Entropy (8bit):4.735341006000336
                                          TrID:
                                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                          File name:armv4eb.elf
                                          File size:222'268 bytes
                                          MD5:b7a09458cbd2c147794c717ab13fa7bc
                                          SHA1:b03c494f6ec7f1226066bcb544c5fd9a679fd4c6
                                          SHA256:7a5e56517ce37bdb71b2b75cf9e2210e8c76f7f3494f797f5179ec183cc0a6a5
                                          SHA512:2fdfde2f5acd0060d67ed15f64b0f45c1333d5b39051cca2f170343649109c203f4f85c84ffa32fa6e03a98d95722101e5229a73223dfa4f724022b858a77904
                                          SSDEEP:1536:VUMJ37dlMgiR5FhfkdjaaNm+1ncWrvusLgwqvjYSKbRxP3pDOo/LAd8Y4:VnN7dOGdRymGDwqvjYSKbrP0ozAd8b
                                          TLSH:6424D6C3A615C522C18CDC3669BFBB457F1A8197C9C2E301E000E78F7B5BA6B29E85D5
                                          File Content Preview:.ELF...a...........(...........4..b......4. ...(......................-<..-<..............0...0...0...2<............dt.Q.................................-...L.....".._@.........-@0..P\..0..S.....0..@P..0... ..R........0...0...........0... ..R........0 .S.

                                          ELF header

                                          Class:ELF32
                                          Data:2's complement, big endian
                                          Version:1 (current)
                                          Machine:ARM
                                          Version Number:0x1
                                          Type:EXEC (Executable file)
                                          OS/ABI:ARM - ABI
                                          ABI Version:0
                                          Entry Point Address:0x8190
                                          Flags:0x202
                                          ELF Header Size:52
                                          Program Header Offset:52
                                          Program Header Size:32
                                          Number of Program Headers:3
                                          Section Header Offset:221828
                                          Section Header Size:40
                                          Number of Section Headers:11
                                          Header String Table Index:10
                                          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                          NULL0x00x00x00x00x0000
                                          .initPROGBITS0x80940x940x180x00x6AX004
                                          .textPROGBITS0x80b00xb00x17d380x00x6AX0016
                                          .finiPROGBITS0x1fde80x17de80x140x00x6AX004
                                          .rodataPROGBITS0x1fdfc0x17dfc0xaf400x00x2A004
                                          .eh_framePROGBITS0x330000x230000x40x00x3WA004
                                          .ctorsPROGBITS0x330040x230040x80x00x3WA004
                                          .dtorsPROGBITS0x3300c0x2300c0x80x00x3WA004
                                          .dataPROGBITS0x330180x230180x132240x00x3WA004
                                          .bssNOBITS0x4623c0x3623c0x49b740x00x3WA004
                                          .shstrtabSTRTAB0x00x3623c0x480x00x0001
                                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                          LOAD0x00x80000x80000x22d3c0x22d3c6.01230x5R E0x8000.init .text .fini .rodata
                                          LOAD0x230000x330000x330000x1323c0x5cdb00.73450x6RW 0x8000.eh_frame .ctors .dtors .data .bss
                                          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 24, 2024 03:21:44.858540058 CET43928443192.168.2.2391.189.91.42
                                          Dec 24, 2024 03:21:50.234072924 CET42836443192.168.2.2391.189.91.43
                                          Dec 24, 2024 03:21:51.513717890 CET4251680192.168.2.23109.202.202.202
                                          Dec 24, 2024 03:22:06.103760004 CET43928443192.168.2.2391.189.91.42
                                          Dec 24, 2024 03:22:16.342545986 CET42836443192.168.2.2391.189.91.43
                                          Dec 24, 2024 03:22:22.485589981 CET4251680192.168.2.23109.202.202.202
                                          Dec 24, 2024 03:22:47.058013916 CET43928443192.168.2.2391.189.91.42
                                          Dec 24, 2024 03:23:07.535275936 CET42836443192.168.2.2391.189.91.43

                                          System Behavior

                                          Start time (UTC):02:21:43
                                          Start date (UTC):24/12/2024
                                          Path:/tmp/armv4eb.elf
                                          Arguments:/tmp/armv4eb.elf
                                          File size:4965048 bytes
                                          MD5 hash:6ef685c2c206c9caa9a952987789a1a5