Edit tour

Linux Analysis Report
ARMV4L.elf

Overview

General Information

Sample name:ARMV4L.elf
Analysis ID:1594180
MD5:0e733de20ade4b4dedd5fd36e9287007
SHA1:736708335349863409be76bef74798dfb5f41748
SHA256:1efc14444fdc6ef7e7cd41c5b0f3016c739136c4a48d7b24e8959ccfa1939cf5
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1594180
Start date and time:2025-01-18 10:05:52 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:ARMV4L.elf
Detection:MAL
Classification:mal56.linELF@0/0@2/0
Command:/tmp/ARMV4L.elf
PID:5454
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • system is lnxubuntu20
  • ARMV4L.elf (PID: 5454, Parent: 5377, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/ARMV4L.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ARMV4L.elfAvira: detected
Source: ARMV4L.elfVirustotal: Detection: 33%Perma Link
Source: ARMV4L.elfReversingLabs: Detection: 39%
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: LOAD without section mappingsProgram segment: 0x8000
Source: classification engineClassification label: mal56.linELF@0/0@2/0
Source: ARMV4L.elfSubmission file: segment LOAD with 7.9583 entropy (max. 8.0)
Source: /tmp/ARMV4L.elf (PID: 5454)Queries kernel information via 'uname': Jump to behavior
Source: ARMV4L.elf, 5454.1.000055cada4d7000.000055cada605000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: ARMV4L.elf, 5454.1.00007fff0bfe6000.00007fff0c007000.rw-.sdmpBinary or memory string: wmx86_64/usr/bin/qemu-arm/tmp/ARMV4L.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ARMV4L.elf
Source: ARMV4L.elf, 5454.1.000055cada4d7000.000055cada605000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: ARMV4L.elf, 5454.1.00007fff0bfe6000.00007fff0c007000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: ARMV4L.elf, 5454.1.00007fff0bfe6000.00007fff0c007000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594180 Sample: ARMV4L.elf Startdate: 18/01/2025 Architecture: LINUX Score: 56 8 daisy.ubuntu.com 2->8 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 6 ARMV4L.elf 2->6         started        signatures3 process4
SourceDetectionScannerLabelLink
ARMV4L.elf34%VirustotalBrowse
ARMV4L.elf39%ReversingLabsLinux.Trojan.Svirtu
ARMV4L.elf100%AviraEXP/ELF.Agent.F.14
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    No contacted IP infos
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comARMV6L.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    MIPSEL.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    ARMV5L.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    sshd.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    .i.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    armv7l.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    armv6l.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    arm7.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    sh4.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    spc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    No context
    No context
    No context
    No created / dropped files found
    File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
    Entropy (8bit):7.956441754868798
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:ARMV4L.elf
    File size:34'260 bytes
    MD5:0e733de20ade4b4dedd5fd36e9287007
    SHA1:736708335349863409be76bef74798dfb5f41748
    SHA256:1efc14444fdc6ef7e7cd41c5b0f3016c739136c4a48d7b24e8959ccfa1939cf5
    SHA512:da4b785049fcb66fb396ec23c2282cb89eda040f2a3f7e9bb0f671423db50f4dd66c12b753d3b3354c248fe94db8dd2662a68ac708aea8d102fb995c33d52e65
    SSDEEP:384:6AZT4SE48zfPdqS9zy14HeGSmR99avBOLlRjmRkGrFJanBAFzSH/Rc1jdaY4mdGj:6089rz9RUmR99ziSBAJSHpc1jd/43UC
    TLSH:E2F2F241EBDCA2E5C1840C72FEE90885F267A73ED1C761541248BB5DB1A230299FF903
    File Content Preview:.ELF...a..........(.....<...4...........4. ...(.....................p...p...........................................Q.td..............................q.YTS.D.......|B..|B......S..........?.E.h;.}...^..........e..o.b..@YHd...B....*O..;fj..D.2}.T.f5....N..:

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:ARM
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:ARM - ABI
    ABI Version:0
    Entry Point Address:0xf33c
    Flags:0x202
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0
    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x80000x80000x84700x84707.95830x5R E0x8000
    LOAD0x00x180000x180000x00x118a00.00000x6RW 0x8000
    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Jan 18, 2025 10:06:39.717356920 CET5896953192.168.2.138.8.8.8
    Jan 18, 2025 10:06:39.717422962 CET5689653192.168.2.138.8.8.8
    Jan 18, 2025 10:06:39.723994970 CET53589698.8.8.8192.168.2.13
    Jan 18, 2025 10:06:39.724035978 CET53568968.8.8.8192.168.2.13
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Jan 18, 2025 10:06:39.717356920 CET192.168.2.138.8.8.80xfab8Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Jan 18, 2025 10:06:39.717422962 CET192.168.2.138.8.8.80x1337Standard query (0)daisy.ubuntu.com28IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jan 18, 2025 10:06:39.723994970 CET8.8.8.8192.168.2.130xfab8No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Jan 18, 2025 10:06:39.723994970 CET8.8.8.8192.168.2.130xfab8No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    Start time (UTC):09:06:37
    Start date (UTC):18/01/2025
    Path:/tmp/ARMV4L.elf
    Arguments:/tmp/ARMV4L.elf
    File size:4956856 bytes
    MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1