Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
armv4eb.elf

Overview

General Information

Sample name:armv4eb.elf
Analysis ID:1587189
MD5:4958eb1d60abb2f860a7e65733b98ad6
SHA1:778202f2eaa4ef97cad58e1e822191e90a8a9dd5
SHA256:08e1c67d7ff174f7ebcb7c16ae27713710a63efddeea45fd835c0033b6e799c5
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Opens /sys/class/net/* files useful for querying network interface information
Sample deletes itself
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1587189
Start date and time:2025-01-10 00:52:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:armv4eb.elf
Detection:MAL
Classification:mal48.spyw.evad.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: armv4eb.elf

Runtime Messages

Command:/tmp/armv4eb.elf
PID:6213
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • armv4eb.elf (PID: 6213, Parent: 6125, MD5: 6ef685c2c206c9caa9a952987789a1a5) Arguments: /tmp/armv4eb.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Networking

barindex
Opens /sys/class/net/* files useful for querying network interface information
Source: /tmp/armv4eb.elf (PID: 6213)Opens: /sys/class/net/Jump to behavior
Source: /tmp/armv4eb.elf (PID: 6213)Opens: /sys/class/net/ens160/addressJump to behavior
Source: /tmp/armv4eb.elf (PID: 6213)Opens: /sys/class/net/ens160/flagsJump to behavior
Source: /tmp/armv4eb.elf (PID: 6213)Opens: /sys/class/net/ens160/carrierJump to behavior
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.spyw.evad.linELF@0/0@0/0

Hooking and other Techniques for Hiding and Protection

barindex
Sample deletes itself
Source: /tmp/armv4eb.elf (PID: 6213)File: /tmp/armv4eb.elfJump to behavior
Source: /tmp/armv4eb.elf (PID: 6213)Queries kernel information via 'uname': Jump to behavior
Source: armv4eb.elf, 6213.1.000055ae29e20000.000055ae29f6e000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/armeb
Source: armv4eb.elf, 6213.1.00007ffecb22b000.00007ffecb24c000.rw-.sdmpBinary or memory string: /usr/bin/qemu-armeb
Source: armv4eb.elf, 6213.1.00007ffecb22b000.00007ffecb24c000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-armeb/tmp/armv4eb.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/armv4eb.elf
Source: armv4eb.elf, 6213.1.000055ae29e20000.000055ae29f6e000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/armeb

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
armv4eb.elf11%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.4312.elfGet hashmaliciousUnknownBrowse
    2.elfGet hashmaliciousUnknownBrowse
      fenty.arm7.elfGet hashmaliciousMiraiBrowse
        fenty.arm6.elfGet hashmaliciousMiraiBrowse
          wind.x86.elfGet hashmaliciousMiraiBrowse
            wind.ppc.elfGet hashmaliciousMiraiBrowse
              arm.elfGet hashmaliciousUnknownBrowse
                31.43.163.57-mips-2025-01-09T20_13_20.elfGet hashmaliciousUnknownBrowse
                  fenty.arm4.elfGet hashmaliciousMiraiBrowse
                    main_ppc.elfGet hashmaliciousMiraiBrowse
                      91.189.91.4212.elfGet hashmaliciousUnknownBrowse
                        2.elfGet hashmaliciousUnknownBrowse
                          fenty.arm7.elfGet hashmaliciousMiraiBrowse
                            fenty.arm6.elfGet hashmaliciousMiraiBrowse
                              wind.x86.elfGet hashmaliciousMiraiBrowse
                                wind.ppc.elfGet hashmaliciousMiraiBrowse
                                  arm.elfGet hashmaliciousUnknownBrowse
                                    31.43.163.57-mips-2025-01-09T20_13_20.elfGet hashmaliciousUnknownBrowse
                                      fenty.arm4.elfGet hashmaliciousMiraiBrowse
                                        main_ppc.elfGet hashmaliciousMiraiBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGBSpace.x86.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          12.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          2.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          fenty.arm7.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          fenty.arm6.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          wind.x86.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          wind.ppc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          arm.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          31.43.163.57-mips-2025-01-09T20_13_20.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          fenty.arm4.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBSpace.x86.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          12.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          2.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          fenty.arm7.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          fenty.arm6.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          wind.x86.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          wind.ppc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          arm.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          31.43.163.57-mips-2025-01-09T20_13_20.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          fenty.arm4.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          INIT7CH12.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          2.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          fenty.arm7.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          fenty.arm6.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          wind.x86.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          wind.ppc.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          arm.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          31.43.163.57-mips-2025-01-09T20_13_20.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          fenty.arm4.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          main_ppc.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:ELF 32-bit MSB executable, ARM, version 1 (ARM), statically linked, stripped
                                          Entropy (8bit):6.153928971554762
                                          TrID:
                                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                          File name:armv4eb.elf
                                          File size:95'232 bytes
                                          MD5:4958eb1d60abb2f860a7e65733b98ad6
                                          SHA1:778202f2eaa4ef97cad58e1e822191e90a8a9dd5
                                          SHA256:08e1c67d7ff174f7ebcb7c16ae27713710a63efddeea45fd835c0033b6e799c5
                                          SHA512:9233d25fe2cadf817ba7d2233245c7973d7eb5ca0524f2743197f3a9e36a0db5a8d32210699a5fdb1c467087c2bd27d14661e56065ef10c618bf7014234f1523
                                          SSDEEP:1536:a9ig945PYEa+lgikzlQiqXTeAnZcud6vyPrXR3Zt6tGDanXztBZ5r:aMKuYPanXHVweBpkADytBZx
                                          TLSH:AA933980B7189C32D05C2C3767BBD78A3B271AD49D92D120E454E7CFBB8F6C57A540A6
                                          File Content Preview:.ELF...a...........(...........4..rH.....4. ...(......................m...m...............p...p...p.......D.........dt.Q.................................-...L....."..VZ.........-@0..P\..0..S.....0..@P..0... ..R........0...0...........0... ..R........0 .S.

                                          Static ELF Info

                                          ELF header

                                          Class:ELF32
                                          Data:2's complement, big endian
                                          Version:1 (current)
                                          Machine:ARM
                                          Version Number:0x1
                                          Type:EXEC (Executable file)
                                          OS/ABI:ARM - ABI
                                          ABI Version:0
                                          Entry Point Address:0x8190
                                          Flags:0x202
                                          ELF Header Size:52
                                          Program Header Offset:52
                                          Program Header Size:32
                                          Number of Program Headers:3
                                          Section Header Offset:94792
                                          Section Header Size:40
                                          Number of Section Headers:11
                                          Header String Table Index:10

                                          Sections

                                          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                          NULL0x00x00x00x00x0000
                                          .initPROGBITS0x80940x940x180x00x6AX004
                                          .textPROGBITS0x80b00xb00x159a00x00x6AX0016
                                          .finiPROGBITS0x1da500x15a500x140x00x6AX004
                                          .rodataPROGBITS0x1da800x15a800x129c0x00x2A0032
                                          .eh_framePROGBITS0x270000x170000x40x00x3WA004
                                          .ctorsPROGBITS0x270040x170040x80x00x3WA004
                                          .dtorsPROGBITS0x2700c0x1700c0x80x00x3WA004
                                          .dataPROGBITS0x270180x170180x1e80x00x3WA004
                                          .bssNOBITS0x272000x172000x42dc0x00x3WA004
                                          .shstrtabSTRTAB0x00x172000x480x00x0001

                                          Program Segments

                                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                          LOAD0x00x80000x80000x16d1c0x16d1c6.20010x5R E0x8000.init .text .fini .rodata
                                          LOAD0x170000x270000x270000x2000x44dc2.09630x6RW 0x8000.eh_frame .ctors .dtors .data .bss
                                          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 10, 2025 00:52:46.623935938 CET43928443192.168.2.2391.189.91.42
                                          Jan 10, 2025 00:52:51.999145031 CET42836443192.168.2.2391.189.91.43
                                          Jan 10, 2025 00:52:53.534991980 CET4251680192.168.2.23109.202.202.202
                                          Jan 10, 2025 00:53:07.612953901 CET43928443192.168.2.2391.189.91.42
                                          Jan 10, 2025 00:53:17.851605892 CET42836443192.168.2.2391.189.91.43
                                          Jan 10, 2025 00:53:23.994740963 CET4251680192.168.2.23109.202.202.202
                                          Jan 10, 2025 00:53:48.567359924 CET43928443192.168.2.2391.189.91.42
                                          Jan 10, 2025 00:54:09.044456959 CET42836443192.168.2.2391.189.91.43

                                          System Behavior

                                          General

                                          Start time (UTC):23:52:47
                                          Start date (UTC):09/01/2025
                                          Path:/tmp/armv4eb.elf
                                          Arguments:/tmp/armv4eb.elf
                                          File size:4965048 bytes
                                          MD5 hash:6ef685c2c206c9caa9a952987789a1a5

                                          Chronological Activities