Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
i.elf

Overview

General Information

Sample name:i.elf
Analysis ID:1586760
MD5:e46e784f2846bded42d4f3664f5478b1
SHA1:9695887cc57aa62be96953b86fa748a79c46320d
SHA256:42b4f5fa05f7864d66290b36f2befb657b38b9c2421bd5ebd82201b171d7a326
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1586760
Start date and time:2025-01-09 15:47:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:i.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: i.elf

Runtime Messages

Command:/tmp/i.elf
PID:6228
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • i.elf (PID: 6228, Parent: 6151, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/i.elf
  • dash New Fork (PID: 6289, Parent: 4332)
  • rm (PID: 6289, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.aT0bsGQ7M5 /tmp/tmp.1vZ33jvQ4k /tmp/tmp.ln0c7QB67u
  • dash New Fork (PID: 6290, Parent: 4332)
  • rm (PID: 6290, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.aT0bsGQ7M5 /tmp/tmp.1vZ33jvQ4k /tmp/tmp.ln0c7QB67u
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: i.elfReversingLabs: Detection: 34%
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33606
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 33606 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: LOAD without section mappingsProgram segment: 0x100000
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /usr/bin/dash (PID: 6289)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aT0bsGQ7M5 /tmp/tmp.1vZ33jvQ4k /tmp/tmp.ln0c7QB67uJump to behavior
Source: /usr/bin/dash (PID: 6290)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.aT0bsGQ7M5 /tmp/tmp.1vZ33jvQ4k /tmp/tmp.ln0c7QB67uJump to behavior
Source: i.elfSubmission file: segment LOAD with 7.9854 entropy (max. 8.0)
Source: /tmp/i.elf (PID: 6228)Queries kernel information via 'uname': Jump to behavior
Source: i.elf, 6228.1.00007ffe6ef26000.00007ffe6ef47000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/i.elf
Source: i.elf, 6228.1.0000558cf5743000.0000558cf57ca000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
Source: i.elf, 6228.1.0000558cf5743000.0000558cf57ca000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: i.elf, 6228.1.00007ffe6ef26000.00007ffe6ef47000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: i.elf, 6228.1.00007ffe6ef26000.00007ffe6ef47000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
File Deletion		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586760 Sample: i.elf Startdate: 09/01/2025 Architecture: LINUX Score: 48 12 109.202.202.202, 80 INIT7CH Switzerland 2->12 14 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->14 16 2 other IPs or domains 2->16 18 Multi AV Scanner detection for submitted file 2->18 6 dash rm 2->6         started        8 dash rm 2->8         started        10 i.elf 2->10         started        signatures3 process4

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
i.elf34%ReversingLabsLinux.Infostealer.Berbew

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
54.171.230.55
unknownUnited States
16509AMAZON-02USfalse
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
54.171.230.55main_x86.elfGet hashmaliciousMiraiBrowse
    2.elfGet hashmaliciousUnknownBrowse
      sst.elfGet hashmaliciousGafgytBrowse
        12.elfGet hashmaliciousUnknownBrowse
          2.elfGet hashmaliciousUnknownBrowse
            ssl.elfGet hashmaliciousGafgytBrowse
              2.elfGet hashmaliciousUnknownBrowse
                mips.elfGet hashmaliciousMiraiBrowse
                  12.elfGet hashmaliciousUnknownBrowse
                    fenty.arm4.elfGet hashmaliciousMiraiBrowse
                      109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                      • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                      91.189.91.43main_arm.elfGet hashmaliciousMiraiBrowse
                        main_x86.elfGet hashmaliciousMiraiBrowse
                          2.elfGet hashmaliciousUnknownBrowse
                            arm5.elfGet hashmaliciousUnknownBrowse
                              x864433.elfGet hashmaliciousUnknownBrowse
                                sst.elfGet hashmaliciousGafgytBrowse
                                  ssx.elfGet hashmaliciousGafgytBrowse
                                    sss.elfGet hashmaliciousGafgytBrowse
                                      12.elfGet hashmaliciousUnknownBrowse
                                        Aqua.mpsl.elfGet hashmaliciousMiraiBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGBmain_arm.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          main_x86.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          2.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          arm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousMiraiBrowse
                                          • 185.125.190.26
                                          x864433.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          sst.elfGet hashmaliciousGafgytBrowse
                                          • 91.189.91.42
                                          ssx.elfGet hashmaliciousGafgytBrowse
                                          • 91.189.91.42
                                          sss.elfGet hashmaliciousGafgytBrowse
                                          • 91.189.91.42
                                          12.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBmain_arm.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          main_x86.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          2.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          arm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousMiraiBrowse
                                          • 185.125.190.26
                                          x864433.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          sst.elfGet hashmaliciousGafgytBrowse
                                          • 91.189.91.42
                                          ssx.elfGet hashmaliciousGafgytBrowse
                                          • 91.189.91.42
                                          sss.elfGet hashmaliciousGafgytBrowse
                                          • 91.189.91.42
                                          12.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          AMAZON-02US24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                          • 18.244.18.122
                                          kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                          • 18.244.18.32
                                          https://combatironapparel.com/collections/ranger-panty-shortsGet hashmaliciousUnknownBrowse
                                          • 65.9.66.27
                                          24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                          • 3.171.139.66
                                          kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                          • 18.244.18.38
                                          cLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                          • 18.244.18.38
                                          main_x86.elfGet hashmaliciousMiraiBrowse
                                          • 54.171.230.55
                                          mpsl.elfGet hashmaliciousMiraiBrowse
                                          • 18.230.152.183
                                          m68k.elfGet hashmaliciousMiraiBrowse
                                          • 18.151.37.12
                                          2.elfGet hashmaliciousUnknownBrowse
                                          • 54.171.230.55
                                          INIT7CHmain_arm.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          main_x86.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          2.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          arm5.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          x864433.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          sst.elfGet hashmaliciousGafgytBrowse
                                          • 109.202.202.202
                                          ssx.elfGet hashmaliciousGafgytBrowse
                                          • 109.202.202.202
                                          sss.elfGet hashmaliciousGafgytBrowse
                                          • 109.202.202.202
                                          12.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          Aqua.mpsl.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                                          Entropy (8bit):7.985427621650203
                                          TrID:
                                          • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                          • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                          File name:i.elf
                                          File size:17'654 bytes
                                          MD5:e46e784f2846bded42d4f3664f5478b1
                                          SHA1:9695887cc57aa62be96953b86fa748a79c46320d
                                          SHA256:42b4f5fa05f7864d66290b36f2befb657b38b9c2421bd5ebd82201b171d7a326
                                          SHA512:d1acdd3d99cd32c7f7dfe032bf973a5ef9e7d934e645d0830eb06412da935cc96bdfb78e9f2bf2cf97dc28c6d5c22b671ab003f361af5ef701e312d503028ba8
                                          SSDEEP:384:YTYXvQDuYY2xZ6VTgDK4mpwTl5yejHSDeWBbo7hcE:YTYIDfYG6ZmewZ59+E
                                          TLSH:CA82F14A2A9C3B47F8B255F2F33C7E49F3061E8D77AB9817D1996123507702AA504C3B
                                          File Content Preview:.ELF....................../....4.........4. ...(......................Bd..Bd.................G...G.................................................^.......?.E.h4...@b..) ..]..0...a.t<..mc.zy/..>..!c...gM\<j..W`xD'..}...\..].j.L.u...S..i...../..F...@`..'k.

                                          Static ELF Info

                                          ELF header

                                          Class:ELF32
                                          Data:2's complement, big endian
                                          Version:1 (current)
                                          Machine:MIPS R3000
                                          Version Number:0x1
                                          Type:EXEC (Executable file)
                                          OS/ABI:UNIX - System V
                                          ABI Version:0
                                          Entry Point Address:0x112fe8
                                          Flags:0x1007
                                          ELF Header Size:52
                                          Program Header Offset:52
                                          Program Header Size:32
                                          Number of Program Headers:2
                                          Section Header Offset:0
                                          Section Header Size:40
                                          Number of Section Headers:0
                                          Header String Table Index:0

                                          Program Segments

                                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                          LOAD0x00x1000000x1000000x142640x142647.98540x5R E0x10000
                                          LOAD0xa6c00x47a6c00x47a6c00x00x00.00000x6RW 0x10000

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 9, 2025 15:48:02.316994905 CET42836443192.168.2.2391.189.91.43
                                          Jan 9, 2025 15:48:03.084882975 CET4251680192.168.2.23109.202.202.202
                                          Jan 9, 2025 15:48:16.907252073 CET43928443192.168.2.2391.189.91.42
                                          Jan 9, 2025 15:48:29.193504095 CET42836443192.168.2.2391.189.91.43
                                          Jan 9, 2025 15:48:32.110749960 CET33606443192.168.2.2354.171.230.55
                                          Jan 9, 2025 15:48:32.115761995 CET4433360654.171.230.55192.168.2.23
                                          Jan 9, 2025 15:48:32.115823030 CET33606443192.168.2.2354.171.230.55
                                          Jan 9, 2025 15:48:33.289005995 CET4251680192.168.2.23109.202.202.202
                                          Jan 9, 2025 15:48:57.861680031 CET43928443192.168.2.2391.189.91.42

                                          System Behavior

                                          General

                                          Start time (UTC):14:47:58
                                          Start date (UTC):09/01/2025
                                          Path:/tmp/i.elf
                                          Arguments:/tmp/i.elf
                                          File size:5777432 bytes
                                          MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                                          Chronological Activities


                                          General

                                          Start time (UTC):14:48:31
                                          Start date (UTC):09/01/2025
                                          Path:/usr/bin/dash
                                          Arguments:-
                                          File size:129816 bytes
                                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                          Chronological Activities


                                          General

                                          Start time (UTC):14:48:31
                                          Start date (UTC):09/01/2025
                                          Path:/usr/bin/rm
                                          Arguments:rm -f /tmp/tmp.aT0bsGQ7M5 /tmp/tmp.1vZ33jvQ4k /tmp/tmp.ln0c7QB67u
                                          File size:72056 bytes
                                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                          Chronological Activities


                                          General

                                          Start time (UTC):14:48:31
                                          Start date (UTC):09/01/2025
                                          Path:/usr/bin/dash
                                          Arguments:-
                                          File size:129816 bytes
                                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                          Chronological Activities


                                          General

                                          Start time (UTC):14:48:31
                                          Start date (UTC):09/01/2025
                                          Path:/usr/bin/rm
                                          Arguments:rm -f /tmp/tmp.aT0bsGQ7M5 /tmp/tmp.1vZ33jvQ4k /tmp/tmp.ln0c7QB67u
                                          File size:72056 bytes
                                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                          Chronological Activities