Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
nn.elf

Overview

General Information

Sample name:nn.elf
Analysis ID:1583482
MD5:2eddd23f0b126d19ac930e63ed44912f
SHA1:293fd2c05146d16d725e1b11f4fd6ca38efd3260
SHA256:7ac6709d8b957f328d1b3ae10f382955dca1eca094f32945f825407e50b7e875
Tags:elfuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Nanominer, Xmrig
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nanominer
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1583482
Start date and time:2025-01-02 20:31:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:nn.elf
Detection:MAL
Classification:mal76.mine.linELF@0/0@0/0

Errors

  • No process behavior to analyse as no analysis process or sample was found

Warnings

  • VT rate limit hit for: nn.elf

Runtime Messages

Command:/tmp/nn.elf
PID:6234
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XMRIGNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
nn.elfJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    nn.elfJoeSecurity_NanominerYara detected NanominerJoe Security
      nn.elfLinux_Cryptominer_Generic_e0cca9dcunknownunknown
      • 0x1dd87e:$a: 54 24 40 48 8D 94 24 C0 00 00 00 F3 41 0F 6F 01 48 89 7C 24 50 48 89 74

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: nn.elfReversingLabs: Detection: 15%

      Bitcoin Miner

      barindex
      Yara detected Nanominer
      Source: Yara matchFile source: nn.elf, type: SAMPLE
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: nn.elf, type: SAMPLE
      Found strings related to Crypto-Mining
      Source: nn.elfString found in binary or memory: St22_Weak_result_type_implIM7IClientFvRKSt7variantIJ12EthashResult13StratumResult17CryptonightResult15VerusHashResultEERKS1_IJ10EthashTask12StratumInput16CryptonightInput14VerusHashInputEESt10shared_ptrI6DeviceEEE
      Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
      Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
      Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: nn.elfString found in binary or memory: https://api.github.com/repos/nanopool/nanominer/releases/latestmalformed
      Source: nn.elfString found in binary or memory: https://api.nanopool.org/v1/invalid
      Source: nn.elfString found in binary or memory: https://blockscout.com/etc/mainnet/api?module=block&action=eth_block_numbertls:
      Source: nn.elfString found in binary or memory: https://gcc.gnu.org/bugs
      Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: nn.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_e0cca9dc Author: unknown
      Source: nn.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_e0cca9dc reference_sample = 59a1d8aa677739f2edbb8bd34f566b31f19d729b0a115fef2eac8ab1d1acc383, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Generic, fingerprint = e7bc17ba356774ed10e65c95a8db3b09d3b9be72703e6daa9b601ea820481db7, id = e0cca9dc-0f3e-42d8-bb43-0625f4f9bfe1, last_modified = 2022-01-26
      Source: nn.elfBinary or memory string: V.SlN75?'j
      Source: classification engineClassification label: mal76.mine.linELF@0/0@0/0

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service

      Malware Configuration

      No configs have been found

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      nn.elf16%ReversingLabsWin32.Coinminer.XMRig

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.nanopool.org/v1/invalidnn.elffalse
        		unknown
        https://blockscout.com/etc/mainnet/api?module=block&action=eth_block_numbertls:nn.elffalse
          		high
          https://api.github.com/repos/nanopool/nanominer/releases/latestmalformednn.elffalse
            		high
            https://gcc.gnu.org/bugsnn.elffalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              109.202.202.202
              		unknownSwitzerland
              		13030INIT7CHfalse
              91.189.91.43
              		unknownUnited Kingdom
              		41231CANONICAL-ASGBfalse
              91.189.91.42
              		unknownUnited Kingdom
              		41231CANONICAL-ASGBfalse

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
              • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
              91.189.91.43i.elfGet hashmaliciousUnknownBrowse
                Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                  ZohoAssistURSGet hashmaliciousUnknownBrowse
                    .i.elfGet hashmaliciousUnknownBrowse
                      file-grey.elfGet hashmaliciousUnknownBrowse
                        Aqua.mips.elfGet hashmaliciousUnknownBrowse
                          Aqua.mpsl.elfGet hashmaliciousUnknownBrowse
                            DEMONS.mips.elfGet hashmaliciousUnknownBrowse
                              i.elfGet hashmaliciousUnknownBrowse
                                i.elfGet hashmaliciousUnknownBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CANONICAL-ASGBi.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  ZohoAssistURSGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  .i.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  file-grey.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  Aqua.mips.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  Aqua.mpsl.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  DEMONS.mips.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  DEMONS.arm5.elfGet hashmaliciousUnknownBrowse
                                  • 185.125.190.26
                                  DEMONS.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 185.125.190.26
                                  CANONICAL-ASGBi.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  ZohoAssistURSGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  .i.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  file-grey.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  Aqua.mips.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  Aqua.mpsl.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  DEMONS.mips.elfGet hashmaliciousUnknownBrowse
                                  • 91.189.91.42
                                  DEMONS.arm5.elfGet hashmaliciousUnknownBrowse
                                  • 185.125.190.26
                                  DEMONS.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 185.125.190.26
                                  INIT7CHi.elfGet hashmaliciousUnknownBrowse
                                  • 109.202.202.202
                                  Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 109.202.202.202
                                  ZohoAssistURSGet hashmaliciousUnknownBrowse
                                  • 109.202.202.202
                                  .i.elfGet hashmaliciousUnknownBrowse
                                  • 109.202.202.202
                                  file-grey.elfGet hashmaliciousUnknownBrowse
                                  • 109.202.202.202
                                  Aqua.mips.elfGet hashmaliciousUnknownBrowse
                                  • 109.202.202.202
                                  Aqua.mpsl.elfGet hashmaliciousUnknownBrowse
                                  • 109.202.202.202
                                  DEMONS.mips.elfGet hashmaliciousUnknownBrowse
                                  • 109.202.202.202
                                  i.elfGet hashmaliciousUnknownBrowse
                                  • 109.202.202.202
                                  i.elfGet hashmaliciousUnknownBrowse
                                  • 109.202.202.202

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 52906664
                                  Entropy (8bit):5.722979084281529
                                  TrID:
                                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                  File name:nn.elf
                                  File size:51'605'539 bytes
                                  MD5:2eddd23f0b126d19ac930e63ed44912f
                                  SHA1:293fd2c05146d16d725e1b11f4fd6ca38efd3260
                                  SHA256:7ac6709d8b957f328d1b3ae10f382955dca1eca094f32945f825407e50b7e875
                                  SHA512:8d6571ac402381ad260cedd71f988236f5c4743c17baa5acbf3237d92a671c87982c7171351d797539587733973d5a4aeb557c08265a960d2d768bd247f07d1e
                                  SSDEEP:393216:Se4n2yMyec44bbt3QR68Or5CbB/yBHqjihphKmXMGDiw6lcGkVpZu1rlPNNjlNT6:LOQbBqBKjihlXMWiwO9uZePX3d5Z1Bc5
                                  TLSH:E8B7F147F59150ECC1AED13486669263BA707CA94B3037EB2B90F7792E32BE05B39354
                                  File Content Preview:.ELF..............>.......C.....@........A'.........@.8...@.$.#.........@.......@.@.....@.@.....0.......0.......................p.......p.@.....p.@...............................................@.......@.......t.......t....... ...............t............

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 2, 2025 20:31:52.229135990 CET43928443192.168.2.2391.189.91.42
                                  Jan 2, 2025 20:31:57.604239941 CET42836443192.168.2.2391.189.91.43
                                  Jan 2, 2025 20:31:59.140027046 CET4251680192.168.2.23109.202.202.202
                                  Jan 2, 2025 20:32:13.474045038 CET43928443192.168.2.2391.189.91.42
                                  Jan 2, 2025 20:32:23.712687969 CET42836443192.168.2.2391.189.91.43
                                  Jan 2, 2025 20:32:29.855952978 CET4251680192.168.2.23109.202.202.202
                                  Jan 2, 2025 20:32:54.428441048 CET43928443192.168.2.2391.189.91.42
                                  Jan 2, 2025 20:33:14.905550957 CET42836443192.168.2.2391.189.91.43

                                  System Behavior