Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
RpcSecurity.arc.elf

Overview

General Information

Sample name:RpcSecurity.arc.elf
Analysis ID:1581156
MD5:dabea48424778cafb411d40e3a7be0aa
SHA1:9440f9d9c49901b9ec749e279e752593b9f5a773
SHA256:9698d89a9c60ce2510c09bd6f4f8151e4b89b0aa07e6a7a26d7262a8c414a646
Tags:elfGafgytuser-lontze7
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Mirai
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1581156
Start date and time:2024-12-27 06:36:11 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:RpcSecurity.arc.elf
Detection:MAL
Classification:mal72.troj.linELF@0/0@0/0

Errors

  • No process behavior to analyse as no analysis process or sample was found

Runtime Messages

Command:/tmp/RpcSecurity.arc.elf
PID:6265
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
RpcSecurity.arc.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    RpcSecurity.arc.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x117e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x117f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1180c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11820:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1185c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11870:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11884:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11898:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x118ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x118c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x118d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x118e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x118fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11910:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11924:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11938:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1194c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11960:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11974:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: RpcSecurity.arc.elfAvira: detected
    Multi AV Scanner detection for submitted file
    Source: RpcSecurity.arc.elfReversingLabs: Detection: 60%
    Source: RpcSecurity.arc.elfVirustotal: Detection: 61%Perma Link
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: RpcSecurity.arc.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: ELF static info symbol of initial sample.symtab present: no
    Source: RpcSecurity.arc.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: classification engineClassification label: mal72.troj.linELF@0/0@0/0

    Stealing of Sensitive Information

    barindex
    Yara detected Mirai
    Source: Yara matchFile source: RpcSecurity.arc.elf, type: SAMPLE

    Remote Access Functionality

    barindex
    Yara detected Mirai
    Source: Yara matchFile source: RpcSecurity.arc.elf, type: SAMPLE

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    RpcSecurity.arc.elf61%ReversingLabsLinux.Trojan.Mirai
    RpcSecurity.arc.elf62%VirustotalBrowse
    RpcSecurity.arc.elf100%AviraEXP/ELF.Mirai.Z.A

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    109.202.202.202
    		unknownSwitzerland
    		13030INIT7CHfalse
    91.189.91.43
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse
    91.189.91.42
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
    • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
    91.189.91.43RpcSecurity.sh4.elfGet hashmaliciousUnknownBrowse
      db0fa4b8db0333367e9bda3ab68b8042.arm5.elfGet hashmaliciousUnknownBrowse
        db0fa4b8db0333367e9bda3ab68b8042.ppc.elfGet hashmaliciousUnknownBrowse
          db0fa4b8db0333367e9bda3ab68b8042.arm.elfGet hashmaliciousUnknownBrowse
            bin.sh.elfGet hashmaliciousUnknownBrowse
              mipsel.elfGet hashmaliciousUnknownBrowse
                .i.elfGet hashmaliciousUnknownBrowse
                  db0fa4b8db0333367e9bda3ab68b8042.mips.elfGet hashmaliciousUnknownBrowse
                    db0fa4b8db0333367e9bda3ab68b8042.arm6.elfGet hashmaliciousUnknownBrowse
                      feiwbps.elfGet hashmaliciousMiraiBrowse
                        91.189.91.42RpcSecurity.sh4.elfGet hashmaliciousUnknownBrowse
                          db0fa4b8db0333367e9bda3ab68b8042.arm5.elfGet hashmaliciousUnknownBrowse
                            db0fa4b8db0333367e9bda3ab68b8042.ppc.elfGet hashmaliciousUnknownBrowse
                              db0fa4b8db0333367e9bda3ab68b8042.arm.elfGet hashmaliciousUnknownBrowse
                                bin.sh.elfGet hashmaliciousUnknownBrowse
                                  mipsel.elfGet hashmaliciousUnknownBrowse
                                    .i.elfGet hashmaliciousUnknownBrowse
                                      db0fa4b8db0333367e9bda3ab68b8042.mips.elfGet hashmaliciousUnknownBrowse
                                        db0fa4b8db0333367e9bda3ab68b8042.arm6.elfGet hashmaliciousUnknownBrowse
                                          feiwbps.elfGet hashmaliciousMiraiBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CANONICAL-ASGBRpcSecurity.sh4.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.arm5.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.ppc.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.arm.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            bin.sh.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            mipsel.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            .i.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.mips.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.arm6.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            feiwbps.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            CANONICAL-ASGBRpcSecurity.sh4.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.arm5.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.ppc.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.arm.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            bin.sh.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            mipsel.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            .i.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.mips.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            db0fa4b8db0333367e9bda3ab68b8042.arm6.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            feiwbps.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            INIT7CHRpcSecurity.sh4.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            db0fa4b8db0333367e9bda3ab68b8042.arm5.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            db0fa4b8db0333367e9bda3ab68b8042.ppc.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            db0fa4b8db0333367e9bda3ab68b8042.arm.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            bin.sh.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            mipsel.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            .i.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            db0fa4b8db0333367e9bda3ab68b8042.mips.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            db0fa4b8db0333367e9bda3ab68b8042.arm6.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            feiwbps.elfGet hashmaliciousMiraiBrowse
                                            • 109.202.202.202

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            No created / dropped files found

                                            Static File Info

                                            General

                                            File type:ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), statically linked, stripped
                                            Entropy (8bit):6.343536378960414
                                            TrID:
                                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                            File name:RpcSecurity.arc.elf
                                            File size:117'288 bytes
                                            MD5:dabea48424778cafb411d40e3a7be0aa
                                            SHA1:9440f9d9c49901b9ec749e279e752593b9f5a773
                                            SHA256:9698d89a9c60ce2510c09bd6f4f8151e4b89b0aa07e6a7a26d7262a8c414a646
                                            SHA512:b95588e2bc3363c71b750e0c4b8f9527356832f3a3f0d7bddfd0b268b53934d5f6c32cb7bfd636150e23a13994d01a8cadd2d6173790781c03e5de8561ff3852
                                            SSDEEP:1536:Rg4uLcytbI96sfY2aye7tcOiyRLqlqOgb3a10Z/LWmoo:e4uLcytU96CY2JatcwRLqlqOgbWYqmo
                                            TLSH:4FB39DABF2071591C8A346F007CB4FDE6E1722C29F57C4E36C6E253E58750DB5A0AB86
                                            File Content Preview:.ELF..............].........4...........4. ...(.................................. ......................|........ ..................................................................Q.td.......................................................................

                                            Static ELF Info

                                            ELF header

                                            Class:ELF32
                                            Data:2's complement, little endian
                                            Version:1 (current)
                                            Machine:<unknown>
                                            Version Number:0x1
                                            Type:EXEC (Executable file)
                                            OS/ABI:UNIX - System V
                                            ABI Version:0
                                            Entry Point Address:0x106d8
                                            Flags:0x403
                                            ELF Header Size:52
                                            Program Header Offset:52
                                            Program Header Size:32
                                            Number of Program Headers:5
                                            Section Header Offset:116728
                                            Section Header Size:40
                                            Number of Section Headers:14
                                            Header String Table Index:13

                                            Sections

                                            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                            NULL0x00x00x00x00x0000
                                            .initPROGBITS0x101140x1140x220x00x6AX001
                                            .textPROGBITS0x101380x1380x111d40x00x6AX004
                                            .finiPROGBITS0x2130c0x1130c0x160x00x6AX001
                                            .rodataPROGBITS0x213240x113240x92840x00x2A004
                                            .tbssNOBITS0x2dfe00x1bfe00x80x00x403WAT004
                                            .fini_arrayFINI_ARRAY0x2dfe00x1bfe00x40x40x3WA004
                                            .ctorsPROGBITS0x2dfe40x1bfe40x80x00x3WA004
                                            .dtorsPROGBITS0x2dfec0x1bfec0x80x00x3WA004
                                            .gotPROGBITS0x2dff40x1bff40x80x00x3WA004
                                            .dataPROGBITS0x2e0080x1c0080x7580x00x3WA004
                                            .bssNOBITS0x2e7600x1c7600x7bfc0x00x3WA004
                                            .ARC.attributes<unknown>0x00x1c7600x320x00x0001
                                            .shstrtabSTRTAB0x00x1c7920x650x00x0001

                                            Program Segments

                                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                            LOAD0x00x100000x100000x1a5a80x1a5a86.62080x5R E0x2000.init .text .fini .rodata
                                            LOAD0x1bfe00x2dfe00x2dfe00x7800x837c4.54700x6RW 0x2000.tbss .fini_array .ctors .dtors .got .data .bss
                                            NOTE0x00x00x00x00x00.00000x4R 0x4
                                            TLS0x1bfe00x2dfe00x2dfe00x00x80.00000x4R 0x4.tbss
                                            GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 27, 2024 06:37:08.267616034 CET43928443192.168.2.2391.189.91.42
                                            Dec 27, 2024 06:37:13.642859936 CET42836443192.168.2.2391.189.91.43
                                            Dec 27, 2024 06:37:14.410744905 CET4251680192.168.2.23109.202.202.202
                                            Dec 27, 2024 06:37:30.024552107 CET43928443192.168.2.2391.189.91.42
                                            Dec 27, 2024 06:37:40.263159990 CET42836443192.168.2.2391.189.91.43
                                            Dec 27, 2024 06:37:44.358678102 CET4251680192.168.2.23109.202.202.202
                                            Dec 27, 2024 06:38:10.978900909 CET43928443192.168.2.2391.189.91.42

                                            System Behavior