Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
nn.elf

Overview

General Information

Sample name:nn.elf
Analysis ID:1581766
MD5:4f68425dc3657e8e646db37d27b357ad
SHA1:b8abc1ec8fa5fe71eb93eef87fb6c764415ddd79
SHA256:49fd14461c8731f1ea8a56355f9d2b0d5ee898283443a2613be20e0bde0c18bc
Tags:elfuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Nanominer, Xmrig
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Nanominer
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1581766
Start date and time:2024-12-28 23:17:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 22s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:nn.elf
Detection:MAL
Classification:mal68.mine.linELF@0/0@0/0

Errors

  • No process behavior to analyse as no analysis process or sample was found

Warnings

  • VT rate limit hit for: nn.elf

Runtime Messages

Command:/tmp/nn.elf
PID:5486
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XMRIGNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
nn.elfJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    nn.elfJoeSecurity_NanominerYara detected NanominerJoe Security
      nn.elfLinux_Cryptominer_Generic_e0cca9dcunknownunknown
      • 0x1dd87e:$a: 54 24 40 48 8D 94 24 C0 00 00 00 F3 41 0F 6F 01 48 89 7C 24 50 48 89 74

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      Bitcoin Miner

      barindex
      Yara detected Nanominer
      Source: Yara matchFile source: nn.elf, type: SAMPLE
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: nn.elf, type: SAMPLE
      Found strings related to Crypto-Mining
      Source: nn.elfString found in binary or memory: St22_Weak_result_type_implIM7IClientFvRKSt7variantIJ12EthashResult13StratumResult17CryptonightResult15VerusHashResultEERKS1_IJ10EthashTask12StratumInput16CryptonightInput14VerusHashInputEESt10shared_ptrI6DeviceEEE
      Source: global trafficTCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
      Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
      Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
      Source: nn.elfString found in binary or memory: https://api.github.com/repos/nanopool/nanominer/releases/latestmalformed
      Source: nn.elfString found in binary or memory: https://api.nanopool.org/v1/invalid
      Source: nn.elfString found in binary or memory: https://blockscout.com/etc/mainnet/api?module=block&action=eth_block_numbertls:
      Source: nn.elfString found in binary or memory: https://gcc.gnu.org/bugs
      Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: nn.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_e0cca9dc Author: unknown
      Source: nn.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_e0cca9dc reference_sample = 59a1d8aa677739f2edbb8bd34f566b31f19d729b0a115fef2eac8ab1d1acc383, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Generic, fingerprint = e7bc17ba356774ed10e65c95a8db3b09d3b9be72703e6daa9b601ea820481db7, id = e0cca9dc-0f3e-42d8-bb43-0625f4f9bfe1, last_modified = 2022-01-26
      Source: classification engineClassification label: mal68.mine.linELF@0/0@0/0

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service

      Malware Configuration

      No configs have been found

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      nn.elf11%ReversingLabsLinux.Coinminer.Generic

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.nanopool.org/v1/invalidnn.elffalse
        		unknown
        https://blockscout.com/etc/mainnet/api?module=block&action=eth_block_numbertls:nn.elffalse
          		high
          https://api.github.com/repos/nanopool/nanominer/releases/latestmalformednn.elffalse
            		high
            https://gcc.gnu.org/bugsnn.elffalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              185.125.190.26
              		unknownUnited Kingdom
              		41231CANONICAL-ASGBfalse

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              185.125.190.26nshkarm.elfGet hashmaliciousUnknownBrowse
                wrjkngh4.elfGet hashmaliciousMiraiBrowse
                  mips.elfGet hashmaliciousGafgytBrowse
                    yakuza.m68k.elfGet hashmaliciousMiraiBrowse
                      mpsl.elfGet hashmaliciousGafgytBrowse
                        yakuza.i586.elfGet hashmaliciousMiraiBrowse
                          x86_64.elfGet hashmaliciousGafgytBrowse
                            45.200.149.186-boatnet.arc-2024-12-28T01_22_59.elfGet hashmaliciousMiraiBrowse
                              109.176.30.237-boatnet.mpsl-2024-12-27T20_20_43.elfGet hashmaliciousMiraiBrowse
                                drp.x86.elfGet hashmaliciousMirai, OkiruBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CANONICAL-ASGBAqua.x86_64.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  kqibeps.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  Aqua.mips.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  ngwa5.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  109.71.252.43-boatnet.arm6-2024-12-28T20_30_37.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  fnkea7.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  fnkea7.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  dlr.arm5.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  dlr.mpsl.elfGet hashmaliciousGafgytBrowse
                                  • 91.189.91.42

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 52906664
                                  Entropy (8bit):5.274868687708035
                                  TrID:
                                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                  File name:nn.elf
                                  File size:30'488'619 bytes
                                  MD5:4f68425dc3657e8e646db37d27b357ad
                                  SHA1:b8abc1ec8fa5fe71eb93eef87fb6c764415ddd79
                                  SHA256:49fd14461c8731f1ea8a56355f9d2b0d5ee898283443a2613be20e0bde0c18bc
                                  SHA512:91a308699fee9821a57f99b0e7d04209ae09e5b281daa1122ad89b8d742456b87b97b3e5d18eb16a61688994c09311674870fa8edf55d92d9ceda1ca50de7b3c
                                  SSDEEP:393216:Se4n2yMyec44bbt3QR68Or5CbB/yBHqjihphKmXMGDiw6l:LOQbBqBKjihlXMWiwO
                                  TLSH:F867BE47F59150ECC1AED13486669263BA707CA94B3037EB2B90F7792E32BE05B39354
                                  File Content Preview:.ELF..............>.......C.....@........A'.........@.8...@.$.#.........@.......@.@.....@.@.....0.......0.......................p.......p.@.....p.@...............................................@.......@.......t.......t....... ...............t............

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Dec 28, 2024 23:18:00.389796972 CET46540443192.168.2.14185.125.190.26
                                  Dec 28, 2024 23:18:31.620524883 CET46540443192.168.2.14185.125.190.26

                                  System Behavior