Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Linux Analysis Report
7C73JOPr1H.elf

Overview

General Information

Sample name:7C73JOPr1H.elf
renamed because original name is a hash value
Original sample name:59f7ddd5211671eed5b8c378e228a24d849fe0a1c043941dfd4602029c66f216.elf
Analysis ID:1591882
MD5:04ad541e132660d6417e7f806c4fa369
SHA1:b4cfe0993900149d20e9dd3b1e45c45ccae47a07
SHA256:59f7ddd5211671eed5b8c378e228a24d849fe0a1c043941dfd4602029c66f216
Tags:elfexeuser-mentality
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1591882
Start date and time:2025-01-15 15:18:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:7C73JOPr1H.elf
renamed because original name is a hash value
Original Sample Name:59f7ddd5211671eed5b8c378e228a24d849fe0a1c043941dfd4602029c66f216.elf
Detection:MAL
Classification:mal60.linELF@0/0@0/0
  • No process behavior to analyse as no analysis process or sample was found
  • VT rate limit hit for: http://inet-ip.info/iphttps://api.ipify.org/idna:
  • VT rate limit hit for: http://ipgrab.io/https://ident.me/if-modified-sinceillegal

Runtime Messages

Command:/tmp/7C73JOPr1H.elf
PID:6235
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 7C73JOPr1H.elfAvira: detected
Source: 7C73JOPr1H.elfVirustotal: Detection: 59%Perma Link
Source: 7C73JOPr1H.elfReversingLabs: Detection: 52%
Source: 7C73JOPr1H.elfJoe Sandbox ML: detected
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: 7C73JOPr1H.elfString found in binary or memory: http://inet-ip.info/iphttps://api.ipify.org/idna:
Source: 7C73JOPr1H.elfString found in binary or memory: http://ipgrab.io/https://ident.me/if-modified-sinceillegal
Source: 7C73JOPr1H.elfString found in binary or memory: http://ipinfo.io/ipif-unmodified-sinceillegal
Source: 7C73JOPr1H.elfString found in binary or memory: https://checkip.amazonaws.com/illegal
Source: 7C73JOPr1H.elfString found in binary or memory: https://discord.com/api/webhooks/960954050583613549/YAkGomn5eYtrPChuOPz87pIkS7WK2XpB5Y3ozZQXaAho2VCB
Source: 7C73JOPr1H.elfString found in binary or memory: https://ip.seeip.org/in
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: classification engineClassification label: mal60.linELF@0/0@0/0
Source: 7C73JOPr1H.elfBinary or memory string: apacheavx512centoscgroupchan<-closedcookiedebiandockerdomainefenceempty errno exec: expectgopherhangupheaderid_rsainternip+netkilledlistenminutendots:netdnsnumberobjectonlineopenvzpasswdpopcntqwertyrdrandrdseedrdtscpremovereturnrune1 secondselectserversocketsocks socks5splicestatusstringstructsweep sysmonsystemtelnettimersubuntuuint16uint32uint64unuseduptimevmwarewaitid{hash} %v=%v, (conn) (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: 7C73JOPr1H.elfBinary or memory string: /dev/null/dev/ptmx/dev/pts/0.0.0.0/82001::/322002::/162441406253ffe::/16: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticENCRYPTEDFIN_WAIT1FIN_WAIT2ForbiddenHOST_PROCHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLINUX_2.6MalayalamMongolianNabataeanNot FoundPalmyreneParseUintProc-TypeSSH_FX_OKSamaritanSee OtherSeptemberSundaneseTIME_WAITToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyWednesday[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8attempts:bad indirbad prunebus errorchan sendcomplex64continuedcontrol_dcopystackcpu-totalctxt != 0d.nx != 0debugLockdns,filesempty urlfec0::/10files,dnsfork/execfuncargs(hchanLeafhmac-sha1image/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostlocaltimemSpanDeadmSpanFreenewosprocnil erroromitemptypanicwaitpclmulqdqportfoliopreemptedprotocol publickeyquestionsraspberryrecover: reflect: rwxrwxrwxscavtracesignal 32signal 33signal 34signal 35signal 36signal 37signal 38signal 39signal 40signal 41signal 42signal 43signal 44signal 45signal 46signal 47signal 48signal 49signal 50signal 51signal 52signal 53signal 54signal 55signal 56signal 57signal 58signal 59signal 60signal 61signal 62signal 63signal 64stackpoolsubsystemsucceededtracebackunderflowunhandledvboxguestwbufSpanswebsocket} stack=[ (deleted) MB goal, flushGen for type gfreecnt= pages at ptrSize= returned runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!Weekday(%s|%s%s|%s, bound = , limit = --nicehash.localhost/dev/stdin/etc/hosts/proc/stat/setgroups0.0.0.0:2210.0.0.0/812207031256103515625:authorityAdditionalBad varintCLOSE_WAITChorasmianClassCHAOSClassCSNETConnectionContent-IdDSA-SHA256DeprecatedDevanagariECDSA-SHA1END_STREAMGC forced
Source: 7C73JOPr1H.elfBinary or memory string: }\ufffdacceptactiveallowapacheavx512centoscgroupchan<-closedcookiedebiandockerdomainefenceempty errno exec: expectgopherhangupheaderid_rsainternip+netkilledlistenminutendots:netdnsnumberobjectonlineopenvzpasswdpopcntqwertyrdrandrdseedrdtscpremovereturnrune1 secondselectserversocketsocks socks5splicestatusstringstructsweep sysmonsystemtelnettimersubuntuuint16uint32uint64unuseduptimevmwarewaitid{hash} %v=%v, (conn) (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: 7C73JOPr1H.elfBinary or memory string: , not a function. Reason was: %v.WithValue(type /etc/resolv.conf/proc/self/fd/%d0123456789ABCDEF0123456789abcdef2384185791015625: value of type Already ReportedContent-EncodingContent-LanguageContent-Length: Environment="ARGFRAME_SIZE_ERRORGC scavenge waitGC worker (idle)GODEBUG: value "Imperial_AramaicInstRuneAnyNotNLMeroitic_CursiveMultiple ChoicesOther_AlphabeticPayment RequiredProxy-ConnectionQEMU Virtual CPURCodeFormatErrorSETTINGS_TIMEOUTSIGNONE: no trapSSH_FXP_EXTENDEDSSH_FXP_FSETSTATSSH_FXP_READLINKSSH_FXP_REALPATHSignatureScheme(Upgrade RequiredUser-Agent: %s

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591882 Sample: 7C73JOPr1H.elf Startdate: 15/01/2025 Architecture: LINUX Score: 60 6 109.202.202.202, 80 INIT7CH Switzerland 2->6 8 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->8 10 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Machine Learning detection for sample 2->16 signatures3

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
7C73JOPr1H.elf59%VirustotalBrowse
7C73JOPr1H.elf53%ReversingLabsLinux.Trojan.Multiverze
7C73JOPr1H.elf100%AviraEXP/ELF.Coinminer.A
7C73JOPr1H.elf100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://ipinfo.io/ipif-unmodified-sinceillegal7C73JOPr1H.elffalse
    		high
    https://checkip.amazonaws.com/illegal7C73JOPr1H.elffalse
      		high
      http://ipgrab.io/https://ident.me/if-modified-sinceillegal7C73JOPr1H.elffalse
        		unknown
        https://ip.seeip.org/in7C73JOPr1H.elffalse
          		high
          http://inet-ip.info/iphttps://api.ipify.org/idna:7C73JOPr1H.elffalse
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            109.202.202.202
            		unknownSwitzerland
            		13030INIT7CHfalse
            91.189.91.43
            		unknownUnited Kingdom
            		41231CANONICAL-ASGBfalse
            91.189.91.42
            		unknownUnited Kingdom
            		41231CANONICAL-ASGBfalse

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
            • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
            91.189.91.43Aqua.dbg.elfGet hashmaliciousUnknownBrowse
              Aqua.x86_64.elfGet hashmaliciousUnknownBrowse
                Aqua.ppc.elfGet hashmaliciousUnknownBrowse
                  na.elfGet hashmaliciousPrometeiBrowse
                    boooooos.x86_64.elfGet hashmaliciousUnknownBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          tftp.elfGet hashmaliciousUnknownBrowse
                            bin.sh.elfGet hashmaliciousMiraiBrowse
                              45.131.111.37-boatnet.arm5-2025-01-15T02_13_35.elfGet hashmaliciousMiraiBrowse
                                91.189.91.42Aqua.dbg.elfGet hashmaliciousUnknownBrowse
                                  Aqua.x86_64.elfGet hashmaliciousUnknownBrowse
                                    Aqua.ppc.elfGet hashmaliciousUnknownBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        boooooos.x86_64.elfGet hashmaliciousUnknownBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              tftp.elfGet hashmaliciousUnknownBrowse
                                                bin.sh.elfGet hashmaliciousMiraiBrowse
                                                  45.131.111.37-boatnet.arm5-2025-01-15T02_13_35.elfGet hashmaliciousMiraiBrowse

                                                    Domains

                                                    No context

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CANONICAL-ASGBAqua.dbg.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    Aqua.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    Aqua.arm6.elfGet hashmaliciousUnknownBrowse
                                                    • 185.125.190.26
                                                    Aqua.ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    boooooos.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    tftp.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    bin.sh.elfGet hashmaliciousMiraiBrowse
                                                    • 91.189.91.42
                                                    CANONICAL-ASGBAqua.dbg.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    Aqua.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    Aqua.arm6.elfGet hashmaliciousUnknownBrowse
                                                    • 185.125.190.26
                                                    Aqua.ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    boooooos.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    tftp.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    bin.sh.elfGet hashmaliciousMiraiBrowse
                                                    • 91.189.91.42
                                                    INIT7CHAqua.dbg.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    Aqua.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    Aqua.ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 109.202.202.202
                                                    boooooos.x86_64.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 109.202.202.202
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 109.202.202.202
                                                    tftp.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    bin.sh.elfGet hashmaliciousMiraiBrowse
                                                    • 109.202.202.202
                                                    45.131.111.37-boatnet.arm5-2025-01-15T02_13_35.elfGet hashmaliciousMiraiBrowse
                                                    • 109.202.202.202

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    No created / dropped files found

                                                    Static File Info

                                                    General

                                                    File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 30304408
                                                    Entropy (8bit):6.306063419337655
                                                    TrID:
                                                    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                    File name:7C73JOPr1H.elf
                                                    File size:10'682'368 bytes
                                                    MD5:04ad541e132660d6417e7f806c4fa369
                                                    SHA1:b4cfe0993900149d20e9dd3b1e45c45ccae47a07
                                                    SHA256:59f7ddd5211671eed5b8c378e228a24d849fe0a1c043941dfd4602029c66f216
                                                    SHA512:4a454d28edc56bb646ee79eaa1508dbca10144604116662f03d10ed6ff05370260ab7d5f40766083988637eb77dde9617c43b005481449c232f365da640c573b
                                                    SSDEEP:49152:c8nxDgC7g9rb/TBvO90dL3BmAFd4A64nsfJ7QQzjFHWkMNRCdQqzB0dSyG2VjMQp:cqYUQuVDt0TZEe
                                                    TLSH:87B68C73945334D8E5A889B4D11416526DBC3C8B5738A3C7BAC471F66BBABE48E38730
                                                    File Content Preview:.ELF..............>.....p4@.....@........`..........@.8...@.#.".........@.......@.@.....@.@...............................................@.......@...............................................@.......@......%.......%.......................0.......0@....

                                                    Network Behavior

                                                    Download Network PCAP: filteredfull

                                                    Network Port Distribution

                                                    • Total Packets: 8
                                                    • 443 (HTTPS)
                                                    • 80 (HTTP)
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 15, 2025 15:18:54.197037935 CET43928443192.168.2.2391.189.91.42
                                                    Jan 15, 2025 15:18:59.828353882 CET42836443192.168.2.2391.189.91.43
                                                    Jan 15, 2025 15:19:01.108073950 CET4251680192.168.2.23109.202.202.202
                                                    Jan 15, 2025 15:19:15.442153931 CET43928443192.168.2.2391.189.91.42
                                                    Jan 15, 2025 15:19:25.680747032 CET42836443192.168.2.2391.189.91.43
                                                    Jan 15, 2025 15:19:31.823862076 CET4251680192.168.2.23109.202.202.202
                                                    Jan 15, 2025 15:19:56.396503925 CET43928443192.168.2.2391.189.91.42
                                                    Jan 15, 2025 15:20:16.873631001 CET42836443192.168.2.2391.189.91.43

                                                    System Behavior