Edit tour

Linux Analysis Report
harm.elf

Overview

General Information

Sample name:harm.elf
Analysis ID:1594516
MD5:5e4e0c71b0b3af596213d58f818aea9f
SHA1:8f1ab70331f7f60e39ef0cd2c8508f8a4209f987
SHA256:c938f17747f75612ce92da0f1436e3c14a7b88f0ff63af125b1e3f249eed6bc4
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1594516
Start date and time:2025-01-19 04:02:10 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:harm.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0
Command:/tmp/harm.elf
PID:5528
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • harm.elf (PID: 5528, Parent: 5447, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/harm.elf
    • harm.elf New Fork (PID: 5530, Parent: 5528)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: harm.elfVirustotal: Detection: 11%Perma Link
Source: harm.elfReversingLabs: Detection: 15%
Source: global trafficTCP traffic: 192.168.2.15:58448 -> 85.239.34.134:5683
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /tmp/harm.elf (PID: 5528)Queries kernel information via 'uname': Jump to behavior
Source: harm.elf, 5528.1.000055d4279cd000.000055d427afb000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: harm.elf, 5528.1.00007fff2af12000.00007fff2af33000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/harm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/harm.elf
Source: harm.elf, 5528.1.000055d4279cd000.000055d427afb000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: harm.elf, 5528.1.00007fff2af12000.00007fff2af33000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594516 Sample: harm.elf Startdate: 19/01/2025 Architecture: LINUX Score: 48 11 85.239.34.134, 5683, 58448, 58450 RAINBOW-HKRainbownetworklimitedHK Russian Federation 2->11 13 Multi AV Scanner detection for submitted file 2->13 7 harm.elf 2->7         started        signatures3 process4 process5 9 harm.elf 7->9         started       
SourceDetectionScannerLabelLink
harm.elf11%VirustotalBrowse
harm.elf16%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
85.239.34.134
unknownRussian Federation
134121RAINBOW-HKRainbownetworklimitedHKfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
85.239.34.134arm7.elfGet hashmaliciousUnknownBrowse
    mpsl.elfGet hashmaliciousUnknownBrowse
      x86.elfGet hashmaliciousUnknownBrowse
        ppc.elfGet hashmaliciousUnknownBrowse
          arm.elfGet hashmaliciousUnknownBrowse
            mips.elfGet hashmaliciousUnknownBrowse
              arm6.elfGet hashmaliciousUnknownBrowse
                arm7.elfGet hashmaliciousUnknownBrowse
                  ppc.elfGet hashmaliciousUnknownBrowse
                    mips.elfGet hashmaliciousUnknownBrowse
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      RAINBOW-HKRainbownetworklimitedHKarm7.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      mpsl.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      x86.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      ppc.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      arm.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      mips.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      arm6.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      arm7.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      ppc.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      mips.elfGet hashmaliciousUnknownBrowse
                      • 85.239.34.134
                      No context
                      No context
                      No created / dropped files found
                      File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                      Entropy (8bit):5.914769110478839
                      TrID:
                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                      File name:harm.elf
                      File size:42'252 bytes
                      MD5:5e4e0c71b0b3af596213d58f818aea9f
                      SHA1:8f1ab70331f7f60e39ef0cd2c8508f8a4209f987
                      SHA256:c938f17747f75612ce92da0f1436e3c14a7b88f0ff63af125b1e3f249eed6bc4
                      SHA512:11ae8f8c0426733aaa0d4ff482ece3cd57b781f97500ba4bfb725e44160cc5f2060d679c2d40fcac7be2aa337674d368293b7a02f81d0dad43af303727fc6a38
                      SSDEEP:768:uIhrjNyro5XUraaidEdVovxu0nYhhUDDwDR0dzrwezOB4DSIAvp74XgBBC0zvdux:9hsa9xtwxeUpdvdumH57cYLVVdg7VF9j
                      TLSH:12131882B9809762C4E855FBFA4F8188336AA3BDE2FF720249635F6133575270EE9055
                      File Content Preview:.ELF...a..........(.........4...........4. ...(.............................................. ... .......&..........Q.td..................................-...L."....&..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                      ELF header

                      Class:ELF32
                      Data:2's complement, little endian
                      Version:1 (current)
                      Machine:ARM
                      Version Number:0x1
                      Type:EXEC (Executable file)
                      OS/ABI:ARM - ABI
                      ABI Version:0
                      Entry Point Address:0x8190
                      Flags:0x202
                      ELF Header Size:52
                      Program Header Offset:52
                      Program Header Size:32
                      Number of Program Headers:3
                      Section Header Offset:41732
                      Section Header Size:40
                      Number of Section Headers:13
                      Header String Table Index:12
                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                      NULL0x00x00x00x00x0000
                      .initPROGBITS0x80940x940x180x00x6AX004
                      .textPROGBITS0x80b00xb00x9b380x00x6AX0016
                      .finiPROGBITS0x11be80x9be80x140x00x6AX004
                      .rodataPROGBITS0x11bfc0x9bfc0x3c60x00x2A004
                      .eh_framePROGBITS0x120000xa0000x40x00x3WA004
                      .ctorsPROGBITS0x120040xa0040x80x00x3WA004
                      .dtorsPROGBITS0x1200c0xa00c0x80x00x3WA004
                      .jcrPROGBITS0x120140xa0140x40x00x3WA004
                      .dataPROGBITS0x120180xa0180x27c0x00x3WA004
                      .bssNOBITS0x122940xa2940x24240x00x3WA004
                      .ARM.attributesARM_ATTRIBUTES0x00xa2940x100x00x0001
                      .shstrtabSTRTAB0x00xa2a40x5d0x00x0001
                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                      LOAD0x00x80000x80000x9fc20x9fc25.95250x5R E0x1000.init .text .fini .rodata
                      LOAD0xa0000x120000x120000x2940x26b83.67350x6RW 0x1000.eh_frame .ctors .dtors .jcr .data .bss
                      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                      Download Network PCAP: filteredfull

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 19, 2025 04:03:02.365535021 CET584485683192.168.2.1585.239.34.134
                      Jan 19, 2025 04:03:02.370599985 CET56835844885.239.34.134192.168.2.15
                      Jan 19, 2025 04:03:02.370759010 CET584485683192.168.2.1585.239.34.134
                      Jan 19, 2025 04:04:02.432564020 CET584485683192.168.2.1585.239.34.134
                      Jan 19, 2025 04:04:02.437738895 CET56835844885.239.34.134192.168.2.15
                      Jan 19, 2025 04:04:02.647409916 CET56835844885.239.34.134192.168.2.15
                      Jan 19, 2025 04:04:02.647907972 CET584485683192.168.2.1585.239.34.134
                      Jan 19, 2025 04:04:02.653002024 CET56835844885.239.34.134192.168.2.15
                      Jan 19, 2025 04:04:03.650935888 CET584505683192.168.2.1585.239.34.134
                      Jan 19, 2025 04:04:03.656208038 CET56835845085.239.34.134192.168.2.15
                      Jan 19, 2025 04:04:03.656284094 CET584505683192.168.2.1585.239.34.134
                      Jan 19, 2025 04:04:03.656389952 CET584505683192.168.2.1585.239.34.134
                      Jan 19, 2025 04:04:03.661223888 CET56835845085.239.34.134192.168.2.15
                      Jan 19, 2025 04:05:03.710752964 CET584505683192.168.2.1585.239.34.134
                      Jan 19, 2025 04:05:03.716115952 CET56835845085.239.34.134192.168.2.15

                      System Behavior

                      Start time (UTC):03:03:01
                      Start date (UTC):19/01/2025
                      Path:/tmp/harm.elf
                      Arguments:/tmp/harm.elf
                      File size:4956856 bytes
                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                      Start time (UTC):03:03:01
                      Start date (UTC):19/01/2025
                      Path:/tmp/harm.elf
                      Arguments:-
                      File size:4956856 bytes
                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1