Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
CONSTANT_STRATEGY.elf

Overview

General Information

Sample name:CONSTANT_STRATEGY.elf
Analysis ID:1581559
MD5:4fa5462c7589b6e9b24fe1aeeedf5c58
SHA1:b72c16da8077429ce7097945b711472d1c72666c
SHA256:25dff41aae798165b831609293892b618b4d8091888b48c734110d79cf713cda
Tags:elfuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1581559
Start date and time:2024-12-28 07:47:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 24s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:CONSTANT_STRATEGY.elf
Detection:MAL
Classification:mal52.linELF@0/0@0/0

Errors

  • No process behavior to analyse as no analysis process or sample was found

Runtime Messages

Command:/tmp/CONSTANT_STRATEGY.elf
PID:6218
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
CONSTANT_STRATEGY.elfMulti_Trojan_Bishopsliver_42298c4aunknownunknown
  • 0xa47cd0:$a1: ).RequestResend
  • 0xa424f2:$a2: ).GetPrivInfo
CONSTANT_STRATEGY.elfINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
  • 0x83ec23:$s3: .WGTCPForwarder
  • 0x83fa1b:$s3: .WGTCPForwarder
  • 0x840c4b:$s3: .WGTCPForwarder
  • 0x842214:$s3: .WGTCPForwarder
  • 0x844744:$s3: .WGTCPForwarder
  • 0x84557a:$s3: .WGTCPForwarder
  • 0x83b7b4:$s6: .BackdoorReq
  • 0x83eb87:$s7: .ProcessDumpReq
  • 0x8413fc:$s8: .InvokeSpawnDllReq
  • 0x837b5a:$s9: .SpawnDll
  • 0x83b8df:$s9: .SpawnDll

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: CONSTANT_STRATEGY.elfJoe Sandbox ML: detected
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: CONSTANT_STRATEGY.elfString found in binary or memory: https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflictx509:
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: CONSTANT_STRATEGY.elf, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: CONSTANT_STRATEGY.elf, type: SAMPLEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: CONSTANT_STRATEGY.elf, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: CONSTANT_STRATEGY.elf, type: SAMPLEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: classification engineClassification label: mal52.linELF@0/0@0/0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CONSTANT_STRATEGY.elf100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflictx509:CONSTANT_STRATEGY.elffalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    109.202.202.202
    		unknownSwitzerland
    		13030INIT7CHfalse
    91.189.91.43
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse
    91.189.91.42
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
    • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
    91.189.91.43boatnet.m68k.elfGet hashmaliciousMiraiBrowse
      boatnet.spc.elfGet hashmaliciousMiraiBrowse
        win.elfGet hashmaliciousUnknownBrowse
          45.200.149.186-boatnet.arm6-2024-12-28T01_23_00.elfGet hashmaliciousMiraiBrowse
            byte.x86.elfGet hashmaliciousMirai, OkiruBrowse
              byte.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                109.176.30.237-boatnet.mips-2024-12-27T21_21_18.elfGet hashmaliciousMiraiBrowse
                  mpsl.elfGet hashmaliciousUnknownBrowse
                    https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3dGet hashmaliciousHTMLPhisherBrowse
                      Electrum-bch-4.4.2-x86_64.AppImage.elfGet hashmaliciousUnknownBrowse
                        91.189.91.42boatnet.m68k.elfGet hashmaliciousMiraiBrowse
                          boatnet.spc.elfGet hashmaliciousMiraiBrowse
                            win.elfGet hashmaliciousUnknownBrowse
                              45.200.149.186-boatnet.arm6-2024-12-28T01_23_00.elfGet hashmaliciousMiraiBrowse
                                byte.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                  byte.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                    109.176.30.237-boatnet.mips-2024-12-27T21_21_18.elfGet hashmaliciousMiraiBrowse
                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                        https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3dGet hashmaliciousHTMLPhisherBrowse
                                          Electrum-bch-4.4.2-x86_64.AppImage.elfGet hashmaliciousUnknownBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CANONICAL-ASGBboatnet.m68k.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            boatnet.spc.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            win.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            45.200.149.186-boatnet.arm6-2024-12-28T01_23_00.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            45.200.149.186-boatnet.arc-2024-12-28T01_22_59.elfGet hashmaliciousMiraiBrowse
                                            • 185.125.190.26
                                            byte.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 91.189.91.42
                                            byte.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 91.189.91.42
                                            109.176.30.237-boatnet.mips-2024-12-27T21_21_18.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            109.176.30.237-boatnet.mpsl-2024-12-27T20_20_43.elfGet hashmaliciousMiraiBrowse
                                            • 185.125.190.26
                                            mpsl.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            CANONICAL-ASGBboatnet.m68k.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            boatnet.spc.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            win.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            45.200.149.186-boatnet.arm6-2024-12-28T01_23_00.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            45.200.149.186-boatnet.arc-2024-12-28T01_22_59.elfGet hashmaliciousMiraiBrowse
                                            • 185.125.190.26
                                            byte.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 91.189.91.42
                                            byte.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 91.189.91.42
                                            109.176.30.237-boatnet.mips-2024-12-27T21_21_18.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            109.176.30.237-boatnet.mpsl-2024-12-27T20_20_43.elfGet hashmaliciousMiraiBrowse
                                            • 185.125.190.26
                                            mpsl.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            INIT7CHboatnet.m68k.elfGet hashmaliciousMiraiBrowse
                                            • 109.202.202.202
                                            boatnet.spc.elfGet hashmaliciousMiraiBrowse
                                            • 109.202.202.202
                                            win.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            45.200.149.186-boatnet.arm6-2024-12-28T01_23_00.elfGet hashmaliciousMiraiBrowse
                                            • 109.202.202.202
                                            byte.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 109.202.202.202
                                            byte.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 109.202.202.202
                                            109.176.30.237-boatnet.mips-2024-12-27T21_21_18.elfGet hashmaliciousMiraiBrowse
                                            • 109.202.202.202
                                            mpsl.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3dGet hashmaliciousHTMLPhisherBrowse
                                            • 109.202.202.202
                                            Electrum-bch-4.4.2-x86_64.AppImage.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            No created / dropped files found

                                            Static File Info

                                            General

                                            File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=h7kopOlDbkWG_lX59-Z3/IRg1kmr9tzOfEmvy9_JV/wukbpGaibo5p6bQxb7u-/XpIYTpkd2HKi-PfhftP7, with debug_info, not stripped
                                            Entropy (8bit):5.9564962513866515
                                            TrID:
                                            • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
                                            • ELF Executable and Linkable format (generic) (4004/1) 49.46%
                                            • Lumena CEL bitmap (63/63) 0.78%
                                            File name:CONSTANT_STRATEGY.elf
                                            File size:12'664'528 bytes
                                            MD5:4fa5462c7589b6e9b24fe1aeeedf5c58
                                            SHA1:b72c16da8077429ce7097945b711472d1c72666c
                                            SHA256:25dff41aae798165b831609293892b618b4d8091888b48c734110d79cf713cda
                                            SHA512:1076cca1a200d16b626e75d6b2e8edf9e83dc84b40eb3b40647209559cebf7b8413e0f049bc521926524bbf3464ffabce182d8de780ce8f697a78384b1631b3e
                                            SSDEEP:49152:grcIsqUK5dNbDAzpGTlDbD8AYKokfbVBiGp73O/G9hRh/uFhVdajKounC2ptzu61:VH6QuQhBOL3Vv1kNMJuVEQDwivBMblux
                                            TLSH:11D6D743F96951E9C0EAE5748726A223BE613C88573473E7AF60F6601735FE0A6BD310
                                            File Content Preview:.ELF..............>.....`.G.....@...................@.8...@.............@.......@.@.....@.@...............................................@.......@.....d.......d.................................@.......@.....b8......b8.......................@.......@.....

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 28, 2024 07:47:45.242841005 CET43928443192.168.2.2391.189.91.42
                                            Dec 28, 2024 07:47:50.874176025 CET42836443192.168.2.2391.189.91.43
                                            Dec 28, 2024 07:47:52.154026985 CET4251680192.168.2.23109.202.202.202
                                            Dec 28, 2024 07:48:05.975845098 CET43928443192.168.2.2391.189.91.42
                                            Dec 28, 2024 07:48:18.262089968 CET42836443192.168.2.2391.189.91.43
                                            Dec 28, 2024 07:48:22.357523918 CET4251680192.168.2.23109.202.202.202
                                            Dec 28, 2024 07:48:46.930073977 CET43928443192.168.2.2391.189.91.42

                                            System Behavior