Edit tour

Linux Analysis Report
dlr.arm6.elf

Overview

General Information

Sample name:dlr.arm6.elf
Analysis ID:1612193
MD5:0f35ac76dbfa320fd909afa532e42d70
SHA1:df02bd811eda135fa97140e1d40bc863e55a2e80
SHA256:0a02ba9c9a83a13aa63cd4b30c31b24ecac0e5e45bf127b55a95f82dcd741fc5
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
HTTP GET or POST without a user agent
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1612193
Start date and time:2025-02-11 16:16:28 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:dlr.arm6.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0
Command:/tmp/dlr.arm6.elf
PID:5480
Exit Code:4
Exit Code Info:
Killed:False
Standard Output:
LIZRD
Standard Error:
  • system is lnxubuntu20
  • dlr.arm6.elf (PID: 5480, Parent: 5402, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/dlr.arm6.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: dlr.arm6.elfVirustotal: Detection: 29%Perma Link
Source: dlr.arm6.elfReversingLabs: Detection: 42%
Source: global trafficHTTP traffic detected: GET /arm6 HTTP/1.0Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Source: unknownTCP traffic detected without corresponding DNS query: 185.93.89.101
Source: unknownTCP traffic detected without corresponding DNS query: 185.93.89.101
Source: unknownTCP traffic detected without corresponding DNS query: 185.93.89.101
Source: unknownTCP traffic detected without corresponding DNS query: 185.93.89.101
Source: unknownTCP traffic detected without corresponding DNS query: 185.93.89.101
Source: global trafficHTTP traffic detected: GET /arm6 HTTP/1.0Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /tmp/dlr.arm6.elf (PID: 5480)Queries kernel information via 'uname': Jump to behavior
Source: dlr.arm6.elf, 5480.1.000055ee5427d000.000055ee543ab000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: dlr.arm6.elf, 5480.1.00007fff2487a000.00007fff2489b000.rw-.sdmpBinary or memory string: `#x86_64/usr/bin/qemu-arm/tmp/dlr.arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/dlr.arm6.elf
Source: dlr.arm6.elf, 5480.1.000055ee5427d000.000055ee543ab000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: dlr.arm6.elf, 5480.1.00007fff2487a000.00007fff2489b000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612193 Sample: dlr.arm6.elf Startdate: 11/02/2025 Architecture: LINUX Score: 48 8 185.93.89.101, 53044, 80 TS-EMEA-ASNGB United Kingdom 2->8 10 Multi AV Scanner detection for submitted file 2->10 6 dlr.arm6.elf 2->6         started        signatures3 process4
SourceDetectionScannerLabelLink
dlr.arm6.elf29%VirustotalBrowse
dlr.arm6.elf42%ReversingLabsLinux.Downloader.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
185.93.89.101
unknownUnited Kingdom
200861TS-EMEA-ASNGBfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
185.93.89.101dlr.x86.elfGet hashmaliciousUnknownBrowse
  • /x86
dlr.mips.elfGet hashmaliciousUnknownBrowse
  • /mips
dlr.arm7.elfGet hashmaliciousUnknownBrowse
  • /arm7
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
TS-EMEA-ASNGBarm5.elfGet hashmaliciousMiraiBrowse
  • 185.93.89.106
arm.elfGet hashmaliciousMiraiBrowse
  • 185.93.89.106
dlr.x86.elfGet hashmaliciousUnknownBrowse
  • 185.93.89.101
dlr.mips.elfGet hashmaliciousUnknownBrowse
  • 185.93.89.101
dlr.arm7.elfGet hashmaliciousUnknownBrowse
  • 185.93.89.101
mpsl.elfGet hashmaliciousMiraiBrowse
  • 185.93.89.106
arm7.elfGet hashmaliciousMiraiBrowse
  • 185.93.89.106
185.93.89.101-mips-2025-02-11T10_20_14.elfGet hashmaliciousMiraiBrowse
  • 185.93.89.106
mpsl.elfGet hashmaliciousMiraiBrowse
  • 185.93.89.106
arm4.elfGet hashmaliciousMiraiBrowse
  • 185.93.89.106
No context
No context
No created / dropped files found
File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy (8bit):4.815098593693894
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:dlr.arm6.elf
File size:1'436 bytes
MD5:0f35ac76dbfa320fd909afa532e42d70
SHA1:df02bd811eda135fa97140e1d40bc863e55a2e80
SHA256:0a02ba9c9a83a13aa63cd4b30c31b24ecac0e5e45bf127b55a95f82dcd741fc5
SHA512:1809890ee5f0c6b4fee07285cda8db8f6b15ac1835fd4da59a63d1e2a0830f8b7b0f6a07461d3587424a77557220e07f87a4b0f5466619611fe8df8f641e9bbc
SSDEEP:24:rKGpa7Urz/jlfkj5+XK1G9Vev3gRGD9iMC/NBucllxrR+zbeSRYt:rKGpa7UrLZk59R3iNBualxrsbeSRY
TLSH:D821E19157D05DFDCCE491BFAD564310B3659F80E0CBB663A21877147D2AE7C5C26046
File Content Preview:.ELF..............(.........4...........4. ...(.....................4...4...............4...4...4...................Q.td.........................................8...<...4...........(.."...#...../...-.......M.................../...-.......M................

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:ARM
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x8388
Flags:0x4000002
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:1156
Section Header Size:40
Number of Section Headers:7
Header String Table Index:6
NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.textPROGBITS0x80a00xa00x35c0x00x6AX0016
.rodataPROGBITS0x83fc0x3fc0x380x10x32AMS004
.gotPROGBITS0x104340x4340xc0x40x3WA004
.bssNOBITS0x104400x4400x80x00x3WA004
.ARM.attributesARM_ATTRIBUTES0x00x4400x100x00x0001
.shstrtabSTRTAB0x00x4500x330x00x0001
TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x80000x80000x4340x4345.23710x5R E0x8000.text .rodata
LOAD0x4340x104340x104340xc0x140.00000x6RW 0x8000.got .bss
GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

Download Network PCAP: filteredfull

TimestampSource PortDest PortSource IPDest IP
Feb 11, 2025 16:17:26.245764017 CET5304480192.168.2.13185.93.89.101
Feb 11, 2025 16:17:26.250813007 CET8053044185.93.89.101192.168.2.13
Feb 11, 2025 16:17:26.250874043 CET5304480192.168.2.13185.93.89.101
Feb 11, 2025 16:17:26.251782894 CET5304480192.168.2.13185.93.89.101
Feb 11, 2025 16:17:26.256550074 CET8053044185.93.89.101192.168.2.13
Feb 11, 2025 16:17:27.881896973 CET8053044185.93.89.101192.168.2.13
Feb 11, 2025 16:17:27.882493973 CET5304480192.168.2.13185.93.89.101
Feb 11, 2025 16:17:28.043452978 CET5304480192.168.2.13185.93.89.101
Feb 11, 2025 16:17:28.048280954 CET8053044185.93.89.101192.168.2.13
Session IDSource IPSource PortDestination IPDestination Port
0192.168.2.1353044185.93.89.10180
TimestampBytes transferredDirectionData
Feb 11, 2025 16:17:26.251782894 CET46OUTGET /arm6 HTTP/1.0
Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00
Data Ascii:


System Behavior

Start time (UTC):15:17:24
Start date (UTC):11/02/2025
Path:/tmp/dlr.arm6.elf
Arguments:/tmp/dlr.arm6.elf
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1