Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
zersh4.elf

Overview

General Information

Sample name:zersh4.elf
Analysis ID:1580189
MD5:7475341fd60a61765cfdead32577e63d
SHA1:7a9431cdbc301834086c062390f5505a67731290
SHA256:59cf733d8bc6be41eca3211640666bdd438614dc4f8d3f1dfc6712a5fc3d9884
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1580189
Start date and time:2024-12-24 04:00:40 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:zersh4.elf
Detection:MAL
Classification:mal52.troj.linELF@0/0@1/0
Command:/tmp/zersh4.elf
PID:5540
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
The Peoples Bank of China.
Standard Error:
  • system is lnxubuntu20
  • zersh4.elf (PID: 5540, Parent: 5460, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/zersh4.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zersh4.elfReversingLabs: Detection: 28%

Networking

barindex
Source: global trafficTCP traffic: 209.38.192.73 ports 38241,1,2,3,4,8
Source: global trafficTCP traffic: 192.168.2.14:37084 -> 209.38.192.73:38241
Source: /tmp/zersh4.elf (PID: 5540)Socket: 127.0.0.1:39148Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 185.181.61.24
Source: global trafficDNS traffic detected: DNS query: serisontop.dyn
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne >> > .d
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/0@1/0
Source: /tmp/zersh4.elf (PID: 5540)Queries kernel information via 'uname': Jump to behavior
Source: zersh4.elf, 5540.1.00007fff9a9fd000.00007fff9aa1e000.rw-.sdmpBinary or memory string: \x86_64/usr/bin/qemu-sh4/tmp/zersh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zersh4.elf
Source: zersh4.elf, 5540.1.00007fff9a9fd000.00007fff9aa1e000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: zersh4.elf, 5540.1.000055871aa7b000.000055871aade000.rw-.sdmpBinary or memory string: U5!/etc/qemu-binfmt/sh4
Source: zersh4.elf, 5540.1.000055871aa7b000.000055871aade000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580189 Sample: zersh4.elf Startdate: 24/12/2024 Architecture: LINUX Score: 52 14 209.38.192.73, 37084, 38241 ATT-INTERNET4US United States 2->14 16 serisontop.dyn 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 Connects to many ports of the same IP (likely port scanning) 2->20 8 zersh4.elf 2->8         started        signatures3 process4 process5 10 zersh4.elf 8->10         started        process6 12 zersh4.elf 10->12         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
zersh4.elf29%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
serisontop.dyn
154.216.16.250
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    209.38.192.73
    unknownUnited States
    7018ATT-INTERNET4UStrue
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    209.38.192.73zerspc.elfGet hashmaliciousUnknownBrowse
      zerm68k.elfGet hashmaliciousUnknownBrowse
        zermpsl.elfGet hashmaliciousUnknownBrowse
          zerarm.elfGet hashmaliciousUnknownBrowse
            zerx86.elfGet hashmaliciousUnknownBrowse
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              serisontop.dynnklm68k.elfGet hashmaliciousUnknownBrowse
              • 154.216.16.244
              nabmpsl.elfGet hashmaliciousUnknownBrowse
              • 154.216.16.250
              splmpsl.elfGet hashmaliciousUnknownBrowse
              • 209.38.192.73
              nabmips.elfGet hashmaliciousUnknownBrowse
              • 209.38.192.73
              splppc.elfGet hashmaliciousUnknownBrowse
              • 154.216.16.250
              jklx86.elfGet hashmaliciousUnknownBrowse
              • 154.216.16.244
              nklmpsl.elfGet hashmaliciousUnknownBrowse
              • 154.216.16.250
              arm.elfGet hashmaliciousUnknownBrowse
              • 154.216.16.244
              jklmips.elfGet hashmaliciousUnknownBrowse
              • 154.216.16.250
              zerspc.elfGet hashmaliciousUnknownBrowse
              • 209.38.192.73
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ATT-INTERNET4USnklm68k.elfGet hashmaliciousUnknownBrowse
              • 70.254.163.117
              nabmpsl.elfGet hashmaliciousUnknownBrowse
              • 12.178.23.37
              splmpsl.elfGet hashmaliciousUnknownBrowse
              • 76.240.173.144
              nabmips.elfGet hashmaliciousUnknownBrowse
              • 13.141.6.166
              arm7.elfGet hashmaliciousUnknownBrowse
              • 99.185.12.79
              jklx86.elfGet hashmaliciousUnknownBrowse
              • 12.140.118.169
              nklmpsl.elfGet hashmaliciousUnknownBrowse
              • 63.196.53.0
              arm.elfGet hashmaliciousUnknownBrowse
              • 67.37.29.135
              jklmips.elfGet hashmaliciousUnknownBrowse
              • 75.12.20.197
              zerspc.elfGet hashmaliciousUnknownBrowse
              • 209.38.192.73
              No context
              No context
              No created / dropped files found
              File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
              Entropy (8bit):6.75882966764686
              TrID:
              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
              File name:zersh4.elf
              File size:42'224 bytes
              MD5:7475341fd60a61765cfdead32577e63d
              SHA1:7a9431cdbc301834086c062390f5505a67731290
              SHA256:59cf733d8bc6be41eca3211640666bdd438614dc4f8d3f1dfc6712a5fc3d9884
              SHA512:0da7638574cbffc2e2e5f2527f0f633e1b28278f58a43ba72d2f6413680660bf1b430d93aeefb802fe118305d8d6e6434cc9a05b075f2e631916be44ff7bdc4a
              SSDEEP:768:QaNwtOc6z8WekUjk+4X9PEE4MZEjUrCxXoODMCXQT:QaNwtOVtJX9MEn0Ur8YcMCXQT
              TLSH:06136DB7D8AEAD94C18D5274E4709E746F13F200D2631EFB594588BA8043AACF60E7F5
              File Content Preview:.ELF..............*.......@.4...8.......4. ...(...............@...@.t...t...............x...x.A.x.A.|...............Q.td............................././"O.n........#.*@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

              ELF header

              Class:ELF32
              Data:2's complement, little endian
              Version:1 (current)
              Machine:<unknown>
              Version Number:0x1
              Type:EXEC (Executable file)
              OS/ABI:UNIX - System V
              ABI Version:0
              Entry Point Address:0x4001a0
              Flags:0x9
              ELF Header Size:52
              Program Header Offset:52
              Program Header Size:32
              Number of Program Headers:3
              Section Header Offset:41784
              Section Header Size:40
              Number of Section Headers:11
              Header String Table Index:10
              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
              NULL0x00x00x00x00x0000
              .initPROGBITS0x4000940x940x300x00x6AX004
              .textPROGBITS0x4000e00xe00x99200x00x6AX0032
              .finiPROGBITS0x409a000x9a000x240x00x6AX004
              .rodataPROGBITS0x409a240x9a240x7500x00x2A004
              .ctorsPROGBITS0x41a1780xa1780x80x00x3WA004
              .dtorsPROGBITS0x41a1800xa1800x80x00x3WA004
              .jcrPROGBITS0x41a1880xa1880x40x00x3WA004
              .dataPROGBITS0x41a18c0xa18c0x1680x00x3WA004
              .bssNOBITS0x41a2f40xa2f40x1780x00x3WA004
              .shstrtabSTRTAB0x00xa2f40x430x00x0001
              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
              LOAD0x00x4000000x4000000xa1740xa1746.81850x5R E0x10000.init .text .fini .rodata
              LOAD0xa1780x41a1780x41a1780x17c0x2f40.89610x6RW 0x10000.ctors .dtors .jcr .data .bss
              GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
              TimestampSource PortDest PortSource IPDest IP
              Dec 24, 2024 04:01:38.950690031 CET3708438241192.168.2.14209.38.192.73
              Dec 24, 2024 04:01:39.070178986 CET3824137084209.38.192.73192.168.2.14
              Dec 24, 2024 04:01:39.070379019 CET3708438241192.168.2.14209.38.192.73
              Dec 24, 2024 04:01:39.071274996 CET3708438241192.168.2.14209.38.192.73
              Dec 24, 2024 04:01:39.190884113 CET3824137084209.38.192.73192.168.2.14
              Dec 24, 2024 04:01:39.190999031 CET3708438241192.168.2.14209.38.192.73
              Dec 24, 2024 04:01:39.310482025 CET3824137084209.38.192.73192.168.2.14
              Dec 24, 2024 04:01:49.081490040 CET3708438241192.168.2.14209.38.192.73
              Dec 24, 2024 04:01:49.200913906 CET3824137084209.38.192.73192.168.2.14
              Dec 24, 2024 04:01:49.504801035 CET3824137084209.38.192.73192.168.2.14
              Dec 24, 2024 04:01:49.504921913 CET3708438241192.168.2.14209.38.192.73
              Dec 24, 2024 04:02:49.542227030 CET3708438241192.168.2.14209.38.192.73
              Dec 24, 2024 04:02:49.662519932 CET3824137084209.38.192.73192.168.2.14
              Dec 24, 2024 04:02:49.965883970 CET3824137084209.38.192.73192.168.2.14
              Dec 24, 2024 04:02:49.965964079 CET3708438241192.168.2.14209.38.192.73
              TimestampSource PortDest PortSource IPDest IP
              Dec 24, 2024 04:01:38.693207026 CET5471953192.168.2.14185.181.61.24
              Dec 24, 2024 04:01:38.949628115 CET5354719185.181.61.24192.168.2.14
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Dec 24, 2024 04:01:38.693207026 CET192.168.2.14185.181.61.240x4468Standard query (0)serisontop.dynA (IP address)IN (0x0001)false
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Dec 24, 2024 04:01:38.949628115 CET185.181.61.24192.168.2.140x4468No error (0)serisontop.dyn154.216.16.250A (IP address)IN (0x0001)false
              Dec 24, 2024 04:01:38.949628115 CET185.181.61.24192.168.2.140x4468No error (0)serisontop.dyn209.38.192.73A (IP address)IN (0x0001)false
              Dec 24, 2024 04:01:38.949628115 CET185.181.61.24192.168.2.140x4468No error (0)serisontop.dyn154.216.16.244A (IP address)IN (0x0001)false

              System Behavior

              Start time (UTC):03:01:38
              Start date (UTC):24/12/2024
              Path:/tmp/zersh4.elf
              Arguments:/tmp/zersh4.elf
              File size:4139976 bytes
              MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

              Start time (UTC):03:01:38
              Start date (UTC):24/12/2024
              Path:/tmp/zersh4.elf
              Arguments:-
              File size:4139976 bytes
              MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

              Start time (UTC):03:01:38
              Start date (UTC):24/12/2024
              Path:/tmp/zersh4.elf
              Arguments:-
              File size:4139976 bytes
              MD5 hash:8943e5f8f8c280467b4472c15ae93ba9