Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
sh4.elf

Overview

General Information

Sample name:sh4.elf
Analysis ID:1584875
MD5:248421f62cfe089d1343a128294e1eff
SHA1:d302e483f81c4dd46c53e5de0383e9456a150b24
SHA256:038f9a28a1511e600d3d03cf5ec106b73462c719071070f87bc6f52f8623ce28
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Opens /proc/net/* files useful for finding connected devices and routers
Detected TCP or UDP traffic on non-standard ports
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1584875
Start date and time:2025-01-06 16:57:13 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:sh4.elf
Detection:MAL
Classification:mal68.spre.troj.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: sh4.elf

Runtime Messages

Command:/tmp/sh4.elf
PID:5524
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • sh4.elf (PID: 5524, Parent: 5443, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sh4.elf
    • sh4.elf New Fork (PID: 5526, Parent: 5524)
      • sh4.elf New Fork (PID: 5528, Parent: 5526)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sh4.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    5524.1.00007fc8dc37f000.00007fc8dc38d000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5526.1.00007fc8dc37f000.00007fc8dc38d000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: sh4.elfAvira: detected
        Multi AV Scanner detection for submitted file
        Source: sh4.elfReversingLabs: Detection: 52%

        Spreading

        barindex
        Opens /proc/net/* files useful for finding connected devices and routers
        Source: /tmp/sh4.elf (PID: 5524)Opens: /proc/net/routeJump to behavior
        Source: global trafficTCP traffic: 192.168.2.15:44132 -> 94.156.227.153:6969
        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.227.153
        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.227.153
        Source: unknownTCP traffic detected without corresponding DNS query: 94.156.227.153
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
        Source: ELF static info symbol of initial sample.symtab present: no
        Source: classification engineClassification label: mal68.spre.troj.linELF@0/0@2/0
        Source: /tmp/sh4.elf (PID: 5524)Queries kernel information via 'uname': Jump to behavior
        Source: sh4.elf, 5524.1.00007ffd1dd99000.00007ffd1ddba000.rw-.sdmp, sh4.elf, 5526.1.00007ffd1dd99000.00007ffd1ddba000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
        Source: sh4.elf, 5524.1.00005601a0a6a000.00005601a0acd000.rw-.sdmp, sh4.elf, 5526.1.00005601a0a6a000.00005601a0acd000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
        Source: sh4.elf, 5524.1.00007ffd1dd99000.00007ffd1ddba000.rw-.sdmp, sh4.elf, 5526.1.00007ffd1dd99000.00007ffd1ddba000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.elf
        Source: sh4.elf, 5524.1.00005601a0a6a000.00005601a0acd000.rw-.sdmp, sh4.elf, 5526.1.00005601a0a6a000.00005601a0acd000.rw-.sdmpBinary or memory string: V5!/etc/qemu-binfmt/sh4

        Stealing of Sensitive Information

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: sh4.elf, type: SAMPLE
        Source: Yara matchFile source: 5524.1.00007fc8dc37f000.00007fc8dc38d000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5526.1.00007fc8dc37f000.00007fc8dc38d000.r-x.sdmp, type: MEMORY
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

        Remote Access Functionality

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: sh4.elf, type: SAMPLE
        Source: Yara matchFile source: 5524.1.00007fc8dc37f000.00007fc8dc38d000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5526.1.00007fc8dc37f000.00007fc8dc38d000.r-x.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
        Security Software Discovery        		Remote ServicesData from Local System1
        Data Obfuscation        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
        Remote System Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction

        Malware Configuration

        No configs have been found

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584875 Sample: sh4.elf Startdate: 06/01/2025 Architecture: LINUX Score: 68 15 94.156.227.153, 44132, 6969 NETIXBG Bulgaria 2->15 17 daisy.ubuntu.com 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected Mirai 2->23 8 sh4.elf 2->8         started        signatures3 process4 signatures5 25 Opens /proc/net/* files useful for finding connected devices and routers 8->25 11 sh4.elf 8->11         started        process6 process7 13 sh4.elf 11->13         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        sh4.elf53%ReversingLabsLinux.Backdoor.Bashlite
        sh4.elf100%AviraEXP/ELF.Mirai.Z

        Dropped Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        daisy.ubuntu.com
        		162.213.35.25
        		truefalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          94.156.227.153
          		unknownBulgaria
          		57463NETIXBGfalse

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          94.156.227.153root.elfGet hashmaliciousMiraiBrowse
            94.156.227.153-x86-2025-01-06T15_02_30.elfGet hashmaliciousMiraiBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              daisy.ubuntu.comarm6.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.24
              94.156.227.153-x86-2025-01-06T15_02_30.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.24
              94.156.227.153-mips-2025-01-06T15_02_30.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.24
              94.156.227.153-arm-2025-01-06T14_32_11.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.25
              hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 162.213.35.24
              hidakibest.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 162.213.35.25
              hidakibest.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 162.213.35.25
              hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 162.213.35.25
              hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 162.213.35.25
              Aqua.arm7.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.25

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              NETIXBGroot.elfGet hashmaliciousMiraiBrowse
              • 94.156.227.153
              94.156.227.153-x86-2025-01-06T15_02_30.elfGet hashmaliciousMiraiBrowse
              • 94.156.227.153
              x86_64.nn.elfGet hashmaliciousOkiruBrowse
              • 94.156.227.234
              arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
              • 94.156.227.234
              sh4.nn.elfGet hashmaliciousOkiruBrowse
              • 94.156.227.234
              arm5.nn.elfGet hashmaliciousOkiruBrowse
              • 94.156.227.234
              mips.nn.elfGet hashmaliciousOkiruBrowse
              • 94.156.227.234
              mipsel.nn.elfGet hashmaliciousOkiruBrowse
              • 94.156.227.234
              sparc.nn.elfGet hashmaliciousOkiruBrowse
              • 94.156.227.234
              x86_32.nn.elfGet hashmaliciousOkiruBrowse
              • 94.156.227.234

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
              Entropy (8bit):6.865946293936231
              TrID:
              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
              File name:sh4.elf
              File size:55'232 bytes
              MD5:248421f62cfe089d1343a128294e1eff
              SHA1:d302e483f81c4dd46c53e5de0383e9456a150b24
              SHA256:038f9a28a1511e600d3d03cf5ec106b73462c719071070f87bc6f52f8623ce28
              SHA512:2dcc3eaec53e139cd9231caac0ea9857d174f29e719af637c32a615a0e795971e391e967c4af07dd4b01be3c1f3be62b8fd8a72c560320b3b64c62e4e2c9c0a5
              SSDEEP:768:4m/m8J+WWjegNiQruQSelZznKH8JIazola2x/fCfn010fx4bzOtvN/hYLORyII:tmCWjeOldlRKH8JTElF3CfB4yN/xy
              TLSH:D4439E23C9215F18D2999AB0B075CE784B53AA5093A71F7B6065C23C9443DDCF52B3FA
              File Content Preview:.ELF..............*.......@.4...0.......4. ...(...............@...@.D...D...............H...H.A.H.A......g..........Q.td............................././"O.n........#.*@........#.*@L....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

              Static ELF Info

              ELF header

              Class:ELF32
              Data:2's complement, little endian
              Version:1 (current)
              Machine:<unknown>
              Version Number:0x1
              Type:EXEC (Executable file)
              OS/ABI:UNIX - System V
              ABI Version:0
              Entry Point Address:0x4001a0
              Flags:0x9
              ELF Header Size:52
              Program Header Offset:52
              Program Header Size:32
              Number of Program Headers:3
              Section Header Offset:54832
              Section Header Size:40
              Number of Section Headers:10
              Header String Table Index:9

              Sections

              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
              NULL0x00x00x00x00x0000
              .initPROGBITS0x4000940x940x300x00x6AX004
              .textPROGBITS0x4000e00xe00xb3600x00x6AX0032
              .finiPROGBITS0x40b4400xb4400x240x00x6AX004
              .rodataPROGBITS0x40b4640xb4640x1de00x00x2A004
              .ctorsPROGBITS0x41d2480xd2480x80x00x3WA004
              .dtorsPROGBITS0x41d2500xd2500x80x00x3WA004
              .dataPROGBITS0x41d25c0xd25c0x3940x00x3WA004
              .bssNOBITS0x41d5f00xd5f00x63680x00x3WA004
              .shstrtabSTRTAB0x00xd5f00x3e0x00x0001

              Program Segments

              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
              LOAD0x00x4000000x4000000xd2440xd2446.92580x5R E0x10000.init .text .fini .rodata
              LOAD0xd2480x41d2480x41d2480x3a80x67102.84910x6RW 0x10000.ctors .dtors .data .bss
              GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 6, 2025 16:58:00.775454044 CET441326969192.168.2.1594.156.227.153
              Jan 6, 2025 16:58:00.780308008 CET69694413294.156.227.153192.168.2.15
              Jan 6, 2025 16:58:00.780633926 CET441326969192.168.2.1594.156.227.153
              Jan 6, 2025 16:58:00.781979084 CET441326969192.168.2.1594.156.227.153
              Jan 6, 2025 16:58:00.786778927 CET69694413294.156.227.153192.168.2.15

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 6, 2025 17:00:46.952011108 CET3709853192.168.2.151.1.1.1
              Jan 6, 2025 17:00:46.952066898 CET3940453192.168.2.151.1.1.1
              Jan 6, 2025 17:00:46.959091902 CET53394041.1.1.1192.168.2.15
              Jan 6, 2025 17:00:46.959275961 CET53370981.1.1.1192.168.2.15

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jan 6, 2025 17:00:46.952011108 CET192.168.2.151.1.1.10x550eStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
              Jan 6, 2025 17:00:46.952066898 CET192.168.2.151.1.1.10x37edStandard query (0)daisy.ubuntu.com28IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jan 6, 2025 17:00:46.959275961 CET1.1.1.1192.168.2.150x550eNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
              Jan 6, 2025 17:00:46.959275961 CET1.1.1.1192.168.2.150x550eNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

              System Behavior

              General

              Start time (UTC):15:57:59
              Start date (UTC):06/01/2025
              Path:/tmp/sh4.elf
              Arguments:/tmp/sh4.elf
              File size:4139976 bytes
              MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

              Chronological Activities


              General

              Start time (UTC):15:57:59
              Start date (UTC):06/01/2025
              Path:/tmp/sh4.elf
              Arguments:-
              File size:4139976 bytes
              MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

              Chronological Activities


              General

              Start time (UTC):15:57:59
              Start date (UTC):06/01/2025
              Path:/tmp/sh4.elf
              Arguments:-
              File size:4139976 bytes
              MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

              Chronological Activities