Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
byte.mips.elf

Overview

General Information

Sample name:byte.mips.elf
Analysis ID:1580824
MD5:4152b96120bb4ccb2c2998307aefb02a
SHA1:82bed20addf9bca3c5276394381c059c511359e1
SHA256:5e8937f62166176032feffb02bae1c3facfe6da24fdf7955e226601f6a07275e
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1580824
Start date and time:2024-12-26 10:12:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:byte.mips.elf
Detection:MAL
Classification:mal52.evad.linELF@0/0@2/0

Runtime Messages

Command:/tmp/byte.mips.elf
PID:5525
Exit Code:133
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

Process Tree

  • system is lnxubuntu20
  • byte.mips.elf (PID: 5525, Parent: 5444, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/byte.mips.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: byte.mips.elfReversingLabs: Detection: 31%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: byte.mips.elfString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x400000
Source: classification engineClassification label: mal52.evad.linELF@0/0@2/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $
Source: byte.mips.elfSubmission file: segment LOAD with 7.7503 entropy (max. 8.0)
Source: /tmp/byte.mips.elf (PID: 5525)Queries kernel information via 'uname': Jump to behavior
Source: byte.mips.elf, 5525.1.0000557e00916000.0000557e0099d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: byte.mips.elf, 5525.1.00007fff6dc67000.00007fff6dc88000.rw-.sdmpBinary or memory string: Nx86_64/usr/bin/qemu-mips/tmp/byte.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/byte.mips.elf
Source: byte.mips.elf, 5525.1.00007fff6dc67000.00007fff6dc88000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: byte.mips.elf, 5525.1.0000557e00916000.0000557e0099d000.rw-.sdmpBinary or memory string: ~U!/etc/qemu-binfmt/mips
Source: byte.mips.elf, 5525.1.00007fff6dc67000.00007fff6dc88000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
byte.mips.elf32%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netbyte.mips.elffalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      daisy.ubuntu.combyte.ppc.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      xd.arm6.elfGet hashmaliciousMiraiBrowse
      • 162.213.35.25
      telnet.arm6.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25
      telnet.mpsl.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24
      telnet.arm5.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25
      xd.m68k.elfGet hashmaliciousMiraiBrowse
      • 162.213.35.25
      main_spc.elfGet hashmaliciousMiraiBrowse
      • 162.213.35.24
      main_arm6.elfGet hashmaliciousMiraiBrowse
      • 162.213.35.24
      Aqua.dbg.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
      Entropy (8bit):7.746913124504868
      TrID:
      • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
      • ELF Executable and Linkable format (generic) (4004/1) 49.84%
      File name:byte.mips.elf
      File size:47'920 bytes
      MD5:4152b96120bb4ccb2c2998307aefb02a
      SHA1:82bed20addf9bca3c5276394381c059c511359e1
      SHA256:5e8937f62166176032feffb02bae1c3facfe6da24fdf7955e226601f6a07275e
      SHA512:ae5a95b2a1f6ba965e698efc89e9053f86e805e2ca8965ed26ee9f368203bed0576e566b7b5b39fc0144a085a9498de57939f135620920c4632918f8a06ca062
      SSDEEP:768:FVMWUHFO6MEn8DyhjPllAfl1c//HF1i29BOrt1tdWXhHN5zh2xciwpDBCQa8Y:I9HFt/19lAfQHH99BOrdO/w
      TLSH:5B23F1B8DB8C13F3EA58327911CF838BB4B125C35F4AED15175096096C1E1252A9DBFB
      File Content Preview:.ELF.....................@.....4.........4. ...(.............@...@...........................A...A.....................KUPX!.......................c....7.$..ELF.........@.....`.4....... ...(..`_......@.....`........E....<..46....dt.Q................@....l

      Static ELF Info

      ELF header

      Class:ELF32
      Data:2's complement, big endian
      Version:1 (current)
      Machine:MIPS R3000
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - System V
      ABI Version:0
      Entry Point Address:0x40af10
      Flags:0x1007
      ELF Header Size:52
      Program Header Offset:52
      Program Header Size:32
      Number of Program Headers:2
      Section Header Offset:0
      Section Header Size:40
      Number of Section Headers:0
      Header String Table Index:0

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x4000000x4000000xb9d60xb9d67.75030x5R E0x10000
      LOAD0x00x4100000x4100000x00x4c6180.00000x6RW 0x10000

      Network Behavior

      Network Port Distribution

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Dec 26, 2024 10:13:03.842375994 CET4575053192.168.2.151.1.1.1
      Dec 26, 2024 10:13:03.842433929 CET3954753192.168.2.151.1.1.1
      Dec 26, 2024 10:13:03.980088949 CET53457501.1.1.1192.168.2.15
      Dec 26, 2024 10:13:03.983279943 CET53395471.1.1.1192.168.2.15

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Dec 26, 2024 10:13:03.842375994 CET192.168.2.151.1.1.10xe43Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
      Dec 26, 2024 10:13:03.842433929 CET192.168.2.151.1.1.10x2fb7Standard query (0)daisy.ubuntu.com28IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Dec 26, 2024 10:13:03.980088949 CET1.1.1.1192.168.2.150xe43No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
      Dec 26, 2024 10:13:03.980088949 CET1.1.1.1192.168.2.150xe43No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

      System Behavior

      General

      Start time (UTC):09:13:02
      Start date (UTC):26/12/2024
      Path:/tmp/byte.mips.elf
      Arguments:/tmp/byte.mips.elf
      File size:5777432 bytes
      MD5 hash:0083f1f0e77be34ad27f849842bbb00c

      Chronological Activities