Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
Yboats.arm5.elf

Overview

General Information

Sample name:Yboats.arm5.elf
Analysis ID:1594279
MD5:ad7c38b4dd11cf522136e5af13a6a261
SHA1:d24caef533de469e419bec60cb73a63fe552f6f3
SHA256:b88d1e7aef75faddec233917cd11ed20d7eff4f7a27bca223ca22d6ae20cce1d
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1594279
Start date and time:2025-01-18 18:09:27 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 6s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Yboats.arm5.elf
Detection:MAL
Classification:mal52.evad.linELF@0/0@0/0

Runtime Messages

Command:/tmp/Yboats.arm5.elf
PID:6282
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • Yboats.arm5.elf (PID: 6282, Parent: 6206, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Yboats.arm5.elf
  • dash New Fork (PID: 6303, Parent: 4331)
  • rm (PID: 6303, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.MWZ7LfXK5N /tmp/tmp.nWioCTkRfx /tmp/tmp.9FzMkXxcdd
  • dash New Fork (PID: 6304, Parent: 4331)
  • rm (PID: 6304, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.MWZ7LfXK5N /tmp/tmp.nWioCTkRfx /tmp/tmp.9FzMkXxcdd
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Yboats.arm5.elfVirustotal: Detection: 39%Perma Link
Source: Yboats.arm5.elfReversingLabs: Detection: 44%
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: Yboats.arm5.elfString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 39258
Source: unknownNetwork traffic detected: HTTP traffic on port 39258 -> 443
Source: LOAD without section mappingsProgram segment: 0x8000
Source: classification engineClassification label: mal52.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
Source: /usr/bin/dash (PID: 6303)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.MWZ7LfXK5N /tmp/tmp.nWioCTkRfx /tmp/tmp.9FzMkXxcddJump to behavior
Source: /usr/bin/dash (PID: 6304)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.MWZ7LfXK5N /tmp/tmp.nWioCTkRfx /tmp/tmp.9FzMkXxcddJump to behavior
Source: Yboats.arm5.elfSubmission file: segment LOAD with 7.9569 entropy (max. 8.0)
Source: /tmp/Yboats.arm5.elf (PID: 6282)Queries kernel information via 'uname': Jump to behavior
Source: Yboats.arm5.elf, 6282.1.000055922f690000.000055922f7be000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: Yboats.arm5.elf, 6282.1.000055922f690000.000055922f7be000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: Yboats.arm5.elf, 6282.1.00007ffc6f707000.00007ffc6f728000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: Yboats.arm5.elf, 6282.1.00007ffc6f707000.00007ffc6f728000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/Yboats.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Yboats.arm5.elf
Source: Yboats.arm5.elf, 6282.1.00007ffc6f707000.00007ffc6f728000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
File Deletion		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594279 Sample: Yboats.arm5.elf Startdate: 18/01/2025 Architecture: LINUX Score: 52 12 109.202.202.202, 80 INIT7CH Switzerland 2->12 14 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->14 16 34.249.145.219, 39258, 443 AMAZON-02US United States 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 Sample is packed with UPX 2->20 6 dash rm 2->6         started        8 dash rm 2->8         started        10 Yboats.arm5.elf 2->10         started        signatures3 process4

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Yboats.arm5.elf40%VirustotalBrowse
Yboats.arm5.elf45%ReversingLabsLinux.Trojan.Multiverze

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netYboats.arm5.elffalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    34.249.145.219
    		unknownUnited States
    		16509AMAZON-02USfalse
    109.202.202.202
    		unknownSwitzerland
    		13030INIT7CHfalse
    91.189.91.42
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    34.249.145.219boooooos.arm.elfGet hashmaliciousMiraiBrowse
      na.elfGet hashmaliciousPrometeiBrowse
        na.elfGet hashmaliciousPrometeiBrowse
          boatnet.ppc.elfGet hashmaliciousMiraiBrowse
            bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
              hikarm4.elfGet hashmaliciousUnknownBrowse
                yakuza.x32.elfGet hashmaliciousGafgyt, MiraiBrowse
                  yakuza.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                    arm7.elfGet hashmaliciousMirai, MoobotBrowse
                      spc.elfGet hashmaliciousMirai, MoobotBrowse
                        109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                        • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                        91.189.91.42Yboats.spc.elfGet hashmaliciousMirai, OkiruBrowse
                          Yboats.arm6.elfGet hashmaliciousUnknownBrowse
                            Yboats.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                              loki.arm4.elfGet hashmaliciousUnknownBrowse
                                loki.arm5.elfGet hashmaliciousUnknownBrowse
                                  loki.x86_64.elfGet hashmaliciousUnknownBrowse
                                    loki.arm7.elfGet hashmaliciousMiraiBrowse
                                      loki.ppc.elfGet hashmaliciousUnknownBrowse
                                        94.154.35.238-x86-2025-01-18T14_35_21.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CANONICAL-ASGBYboats.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 91.189.91.42
                                            Yboats.arm6.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            Yboats.i686.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 185.125.190.26
                                            Yboats.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 91.189.91.42
                                            loki.arm4.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            loki.mpsl.elfGet hashmaliciousUnknownBrowse
                                            • 185.125.190.26
                                            loki.arm5.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            loki.x86_64.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            loki.arm7.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            loki.ppc.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            INIT7CHYboats.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 109.202.202.202
                                            Yboats.arm6.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            Yboats.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 109.202.202.202
                                            loki.arm4.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            loki.arm5.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            loki.x86_64.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            loki.arm7.elfGet hashmaliciousMiraiBrowse
                                            • 109.202.202.202
                                            loki.ppc.elfGet hashmaliciousUnknownBrowse
                                            • 109.202.202.202
                                            94.154.35.238-x86-2025-01-18T14_35_21.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 109.202.202.202
                                            na.elfGet hashmaliciousPrometeiBrowse
                                            • 109.202.202.202
                                            AMAZON-02USaMlodbEWhD.exeGet hashmaliciousUnknownBrowse
                                            • 3.69.165.56
                                            aMlodbEWhD.exeGet hashmaliciousUnknownBrowse
                                            • 3.69.165.56
                                            https://www.surveymonkey.com/tr/v1/te/fP1ElyAh3LrqKx24JsmD6ODtGOJwRcRt5qVxrYIEJEHUElyeJAfL_2BKym0kGXzEGoAPJ7mj9hHP_2FbInvSBSXSODJbn0efHfXAOTjSwu4vDqLEu9n5ZG_2FsdwlSjWOWVV1Y_2BR2XkO30P3B1Fa298_2BZW5_2F7YMlTq5O8aCHUpn_2F02dR9LcOCZqh3yaUg_2BW57lOq_2FAbkkyklhhkvPpUD83QimwzquPOI5N9zIM36hBWCYjelonII4Uk357bow0DkPDmd3A3K6tnq3ccg6PTON1m3Lvh1mp84C75JBUbHVxLw_2BDj1FZdQ1Xe4gsfjPUfElFRZgaai_2BWe6or91PZ_2FGII23e_2FCXnc8IQ0oJ2fT3jMTSY4Zx9mGqdjeKzP8YIOAq3aBDb20g2G3Jtht0BiiqE3VEU_2FljXzX5O9qGvlRnD58JMJLqIhOyhltrl5iTR7ulSyjLp75u5aKwtSqRrev6L89jbsGcB9_2BED2mMKDbNl6CEUDcZcV09TD5rchi9Tq1484mf0jQhKY60OFIxJcaADmY_2FBkPKmG0F6KSKyTBAst5NXfEIl2p6qjflCh_2F65OakN1ODxGKy3OSGyrtZZlHSgU438K6QLy3NX0DWR_2FmhkXCJZcOFN6yEnaVuF1xa9RChsFdxLzY_2FoE3d4G0ag9eMot4SnXBw_3D_3DGet hashmaliciousUnknownBrowse
                                            • 54.155.91.6
                                            ssez9kSCPc.exeGet hashmaliciousUnknownBrowse
                                            • 3.160.150.40
                                            SPARC.elfGet hashmaliciousMiraiBrowse
                                            • 54.171.230.55
                                            na.elfGet hashmaliciousPrometeiBrowse
                                            • 54.171.230.55
                                            https://linktr.ee/ach2025batch2Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                            • 44.234.209.97
                                            https://lwkqmanseyrdusidffg.weebly.com/?user-agent=Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTMLGet hashmaliciousHTMLPhisherBrowse
                                            • 44.240.99.243
                                            http://sdfredgfdas.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                            • 44.240.99.243
                                            https://usps-dsmssex.click/usGet hashmaliciousHTMLPhisherBrowse
                                            • 52.212.200.255

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            No created / dropped files found

                                            Static File Info

                                            General

                                            File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
                                            Entropy (8bit):7.954864672866029
                                            TrID:
                                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                            File name:Yboats.arm5.elf
                                            File size:32'520 bytes
                                            MD5:ad7c38b4dd11cf522136e5af13a6a261
                                            SHA1:d24caef533de469e419bec60cb73a63fe552f6f3
                                            SHA256:b88d1e7aef75faddec233917cd11ed20d7eff4f7a27bca223ca22d6ae20cce1d
                                            SHA512:27ecad11146f05c95f71b670ca36582bc6731c7d85f338c10b5570b58cfdeeacd379386cf635bc7ca20f1e0f29af5fa29d069a1d19d87476217ac652c9976cf8
                                            SSDEEP:384:6RxTYWk9NdUXOn7Gs/7PedWJe1swtHIRD0+dmbSyBDtwj7J4FEWscsmdGU5E/X:6i9H4OnMtswuXyBDtmnWa3UcX
                                            TLSH:60E2E161C2105111FE902A36DFF0C29FB46209BCA1C9613E2DAC442CDDFA56677FC1AB
                                            File Content Preview:.ELF...a..........(.........4...........4. ...(......................}...}..............................L...........Q.td............................K..gUPX!........H...H.......t..........?.E.h;.}...^......v6..e..IP...8..r...#..."....<.At.aVX.......Y../.J.

                                            Static ELF Info

                                            ELF header

                                            Class:ELF32
                                            Data:2's complement, little endian
                                            Version:1 (current)
                                            Machine:ARM
                                            Version Number:0x1
                                            Type:EXEC (Executable file)
                                            OS/ABI:ARM - ABI
                                            ABI Version:0
                                            Entry Point Address:0xebcc
                                            Flags:0x2
                                            ELF Header Size:52
                                            Program Header Offset:52
                                            Program Header Size:32
                                            Number of Program Headers:3
                                            Section Header Offset:0
                                            Section Header Size:40
                                            Number of Section Headers:0
                                            Header String Table Index:0

                                            Program Segments

                                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                            LOAD0x00x80000x80000x7d940x7d947.95690x5R E0x8000
                                            LOAD0x00x100000x100000x00x18a4c0.00000x6RW 0x8000
                                            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                            Network Behavior

                                            Download Network PCAP: filteredfull

                                            Network Port Distribution

                                            • Total Packets: 5
                                            • 443 (HTTPS)
                                            • 80 (HTTP)
                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 18, 2025 18:10:43.392731905 CET43928443192.168.2.2391.189.91.42
                                            Jan 18, 2025 18:10:55.493294954 CET4433925834.249.145.219192.168.2.23
                                            Jan 18, 2025 18:10:55.493576050 CET39258443192.168.2.2334.249.145.219
                                            Jan 18, 2025 18:10:55.498406887 CET4433925834.249.145.219192.168.2.23
                                            Jan 18, 2025 18:10:59.518582106 CET4251680192.168.2.23109.202.202.202
                                            Jan 18, 2025 18:11:03.614044905 CET43928443192.168.2.2391.189.91.42
                                            Jan 18, 2025 18:11:44.568195105 CET43928443192.168.2.2391.189.91.42

                                            System Behavior

                                            General

                                            Start time (UTC):17:10:43
                                            Start date (UTC):18/01/2025
                                            Path:/tmp/Yboats.arm5.elf
                                            Arguments:/tmp/Yboats.arm5.elf
                                            File size:4956856 bytes
                                            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                            File Activities

                                            Process Activities

                                            System Activities


                                            General

                                            Start time (UTC):17:10:54
                                            Start date (UTC):18/01/2025
                                            Path:/usr/bin/dash
                                            Arguments:-
                                            File size:129816 bytes
                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                            Process Activities


                                            General

                                            Start time (UTC):17:10:54
                                            Start date (UTC):18/01/2025
                                            Path:/usr/bin/rm
                                            Arguments:rm -f /tmp/tmp.MWZ7LfXK5N /tmp/tmp.nWioCTkRfx /tmp/tmp.9FzMkXxcdd
                                            File size:72056 bytes
                                            MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                            File Activities


                                            General

                                            Start time (UTC):17:10:54
                                            Start date (UTC):18/01/2025
                                            Path:/usr/bin/dash
                                            Arguments:-
                                            File size:129816 bytes
                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                            Process Activities


                                            General

                                            Start time (UTC):17:10:54
                                            Start date (UTC):18/01/2025
                                            Path:/usr/bin/rm
                                            Arguments:rm -f /tmp/tmp.MWZ7LfXK5N /tmp/tmp.nWioCTkRfx /tmp/tmp.9FzMkXxcdd
                                            File size:72056 bytes
                                            MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                            File Activities