Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
UnHAnaAW.arm5.elf

Overview

General Information

Sample name:UnHAnaAW.arm5.elf
Analysis ID:1588046
MD5:ee31948452a0afd35ea9cb9c203bf5ad
SHA1:fda038ed4520d944e9c91c2878745b1eae9589ae
SHA256:f31b493f1ac323b8c370c98f27a9c600fcf8eeca3c08fcee6c53288fd97b3a83
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1588046
Start date and time:2025-01-10 20:56:10 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 10m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:UnHAnaAW.arm5.elf
Detection:MAL
Classification:mal56.linELF@0/0@2/0
Cookbook Comments:
  • Analysis time extended to 480s due to sleep detection in submitted sample

Runtime Messages

Command:/tmp/UnHAnaAW.arm5.elf
PID:5450
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:

Standard Error:/lib/ld-uClibc.so.0: No such file or directory

Process Tree

  • system is lnxubuntu20
  • UnHAnaAW.arm5.elf (PID: 5450, Parent: 5373, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/UnHAnaAW.arm5.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: UnHAnaAW.arm5.elfAvira: detected
Multi AV Scanner detection for submitted file
Source: UnHAnaAW.arm5.elfVirustotal: Detection: 58%Perma Link
Source: UnHAnaAW.arm5.elfReversingLabs: Detection: 65%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal56.linELF@0/0@2/0
Source: /tmp/UnHAnaAW.arm5.elf (PID: 5450)Queries kernel information via 'uname': Jump to behavior
Source: UnHAnaAW.arm5.elf, 5450.1.00007fff0e8c5000.00007fff0e8e6000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/UnHAnaAW.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/UnHAnaAW.arm5.elf
Source: UnHAnaAW.arm5.elf, 5450.1.000055bc26d27000.000055bc26e55000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: UnHAnaAW.arm5.elf, 5450.1.00007fff0e8c5000.00007fff0e8e6000.rw-.sdmpBinary or memory string: qemu: %s: %s
Source: UnHAnaAW.arm5.elf, 5450.1.00007fff0e8c5000.00007fff0e8e6000.rw-.sdmpBinary or memory string: leqemu: %s: %s
Source: UnHAnaAW.arm5.elf, 5450.1.000055bc26d27000.000055bc26e55000.rw-.sdmpBinary or memory string: Urg.qemu.gdb.arm.sys.regs">
Source: UnHAnaAW.arm5.elf, 5450.1.000055bc26d27000.000055bc26e55000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: UnHAnaAW.arm5.elf, 5450.1.00007fff0e8c5000.00007fff0e8e6000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: UnHAnaAW.arm5.elf, 5450.1.000055bc26d27000.000055bc26e55000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
UnHAnaAW.arm5.elf59%VirustotalBrowse
UnHAnaAW.arm5.elf66%ReversingLabsLinux.Trojan.Mirai
UnHAnaAW.arm5.elf100%AviraEXP/ELF.Mirai.Bootnet.oc

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comUnHAnaAW.ppc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    UnHAnaAW.arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    woega6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    ssc.elfGet hashmaliciousGafgytBrowse
    • 162.213.35.24
    frosty.arm5.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    frosty.arm6.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    frosty.mpsl.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    main_sh4.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    wind.mpsl.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    wind.arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:
    Entropy (8bit):5.966048487444445
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:UnHAnaAW.arm5.elf
    File size:62'700 bytes
    MD5:ee31948452a0afd35ea9cb9c203bf5ad
    SHA1:fda038ed4520d944e9c91c2878745b1eae9589ae
    SHA256:f31b493f1ac323b8c370c98f27a9c600fcf8eeca3c08fcee6c53288fd97b3a83
    SHA512:a2b1e968f8928f6372fa8b5c7ee56e73e87c21a1eb58956ac2a17be6a987f1b3f669bc6a2b29610078ed840b35101a4f6c172d2dea9f650edab54380ece0341b
    SSDEEP:1536:omHfUXVywKHMIeVOeKSs2KlkaLFgiZu6Kjoh+tTnS:omHfUl1IFM6KEhqT
    TLSH:BA53E9627C926A2AC5E063BAF6BE518D332167B8D1DF3217CC212B057BC551F0DA7B81
    File Content Preview:.ELF...a..........(.........4...........4. ...(.........4...4...4...................................................................|...|...............................D...........................................Q.td............................/lib/ld-uCl

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jan 10, 2025 20:59:35.317611933 CET3644053192.168.2.131.1.1.1
    Jan 10, 2025 20:59:35.317679882 CET5799153192.168.2.131.1.1.1
    Jan 10, 2025 20:59:35.324312925 CET53579911.1.1.1192.168.2.13
    Jan 10, 2025 20:59:35.324326038 CET53364401.1.1.1192.168.2.13

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Jan 10, 2025 20:59:35.317611933 CET192.168.2.131.1.1.10x82e4Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Jan 10, 2025 20:59:35.317679882 CET192.168.2.131.1.1.10xa5a5Standard query (0)daisy.ubuntu.com28IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jan 10, 2025 20:59:35.324326038 CET1.1.1.1192.168.2.130x82e4No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
    Jan 10, 2025 20:59:35.324326038 CET1.1.1.1192.168.2.130x82e4No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):19:56:51
    Start date (UTC):10/01/2025
    Path:/tmp/UnHAnaAW.arm5.elf
    Arguments:/tmp/UnHAnaAW.arm5.elf
    File size:4956856 bytes
    MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

    Chronological Activities