Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
ARMV6L.elf

Overview

General Information

Sample name:ARMV6L.elf
Analysis ID:1594178
MD5:1c711324806ea69e46e0df2174a89216
SHA1:cfcd5a66bb71de69d836dcf96add57864787fb71
SHA256:7afebaa19804bcda6c1d29d2c6fb1a0aec6a5a34da1dea27cfa2f9ca262c9c67
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1594178
Start date and time:2025-01-18 10:01:15 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:ARMV6L.elf
Detection:MAL
Classification:mal56.linELF@0/0@2/0

Runtime Messages

Command:/tmp/ARMV6L.elf
PID:5550
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • ARMV6L.elf (PID: 5550, Parent: 5467, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/ARMV6L.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ARMV6L.elfAvira: detected
Source: ARMV6L.elfVirustotal: Detection: 30%Perma Link
Source: ARMV6L.elfReversingLabs: Detection: 44%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: LOAD without section mappingsProgram segment: 0x8000
Source: classification engineClassification label: mal56.linELF@0/0@2/0
Source: ARMV6L.elfSubmission file: segment LOAD with 7.9669 entropy (max. 8.0)
Source: /tmp/ARMV6L.elf (PID: 5550)Queries kernel information via 'uname': Jump to behavior
Source: ARMV6L.elf, 5550.1.00007ffeebd48000.00007ffeebd69000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/ARMV6L.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ARMV6L.elf
Source: ARMV6L.elf, 5550.1.0000561de1b80000.0000561de1cae000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: ARMV6L.elf, 5550.1.00007ffeebd48000.00007ffeebd69000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: ARMV6L.elf, 5550.1.0000561de1b80000.0000561de1cae000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/arm
Source: ARMV6L.elf, 5550.1.00007ffeebd48000.00007ffeebd69000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594178 Sample: ARMV6L.elf Startdate: 18/01/2025 Architecture: LINUX Score: 56 8 daisy.ubuntu.com 2->8 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 6 ARMV6L.elf 2->6         started        signatures3 process4

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ARMV6L.elf31%VirustotalBrowse
ARMV6L.elf45%ReversingLabsLinux.Backdoor.Mirai
ARMV6L.elf100%AviraEXP/ELF.Agent.F.14

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comsshd.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    .i.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    armv7l.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    armv6l.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    arm7.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    sh4.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    spc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    mpsl.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    m68k.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    2.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
    Entropy (8bit):7.965109103888895
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:ARMV6L.elf
    File size:39'320 bytes
    MD5:1c711324806ea69e46e0df2174a89216
    SHA1:cfcd5a66bb71de69d836dcf96add57864787fb71
    SHA256:7afebaa19804bcda6c1d29d2c6fb1a0aec6a5a34da1dea27cfa2f9ca262c9c67
    SHA512:c902e9b0b1a70f0ea15290223d35216441c4f6a58165c4cadb74f15f7c9396303ec5c1e43ab30538ac57c9f24e946db3b6ac2ca06736d9a4cdbf00d8b0e335fd
    SSDEEP:768:BeZ7iCLiuIqBALVPXTJkCLsKQYyy/I+67sNoK3BTWjk4CEq3U7H:BeBiPuCVP1RQY3/e6rdD4H
    TLSH:1203E1F49A5AEEE5D6311D70BDED4643F9AA37E484B771336231C3088AD606968F8A04
    File Content Preview:.ELF..............(.....d...4...........4. ...(..........................................................K..........Q.td............................"...YTS..........s...s......_..........?.E.h;....#..$.........m.4..|<.o.....z@.s]i..W...V..........@......X

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:ARM
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - Linux
    ABI Version:0
    Entry Point Address:0x10664
    Flags:0x4000002
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x80000x80000x97d30x97d37.96690x5R E0x8000
    LOAD0x00x180000x180000x00x14b140.00000x6RW 0x8000
    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

    Network Behavior

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Jan 18, 2025 10:02:06.307754040 CET5416853192.168.2.151.1.1.1
    Jan 18, 2025 10:02:06.307815075 CET4275553192.168.2.151.1.1.1
    Jan 18, 2025 10:02:06.315907955 CET53427551.1.1.1192.168.2.15
    Jan 18, 2025 10:02:06.316608906 CET53541681.1.1.1192.168.2.15

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Jan 18, 2025 10:02:06.307754040 CET192.168.2.151.1.1.10x4e6dStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Jan 18, 2025 10:02:06.307815075 CET192.168.2.151.1.1.10xdeecStandard query (0)daisy.ubuntu.com28IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jan 18, 2025 10:02:06.316608906 CET1.1.1.1192.168.2.150x4e6dNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Jan 18, 2025 10:02:06.316608906 CET1.1.1.1192.168.2.150x4e6dNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):09:02:03
    Start date (UTC):18/01/2025
    Path:/tmp/ARMV6L.elf
    Arguments:/tmp/ARMV6L.elf
    File size:4956856 bytes
    MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

    File Activities

    Process Activities

    System Activities