Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
mipsel.elf

Overview

General Information

Sample name:mipsel.elf
Analysis ID:1616712
MD5:fbad21895af9eb439d58aac92ab0a0b9
SHA1:ffeb12903447a54b04529b607d43d23490e956a1
SHA256:62ffefdd46f5f0bd15fd87927fc6a55a17d6477c56f6cc72b42d47b4459759ab
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1616712
Start date and time:2025-02-17 06:47:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:mipsel.elf
Detection:MAL
Classification:mal60.spyw.evad.linELF@0/0@3/0

Runtime Messages

Command:/tmp/mipsel.elf
PID:5421
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Firmware update in progress
Standard Error:

Process Tree

  • system is lnxubuntu20
  • mipsel.elf (PID: 5421, Parent: 5343, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mipsel.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: mipsel.elfVirustotal: Detection: 20%Perma Link
Source: mipsel.elfReversingLabs: Detection: 13%

Networking

barindex
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/Jump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/lo/addressJump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/ens160/addressJump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/ens160/flagsJump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/ens160/carrierJump to behavior
Source: global trafficTCP traffic: 192.168.2.13:52752 -> 103.35.190.176:5000
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownUDP traffic detected without corresponding DNS query: 172.217.192.127
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: iranistrash.libre
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal60.spyw.evad.linELF@0/0@3/0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/mipsel.elf (PID: 5421)File: /tmp/mipsel.elfJump to behavior
Source: /tmp/mipsel.elf (PID: 5421)Queries kernel information via 'uname': Jump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Queries kernel information via 'uname': Jump to behavior
Source: mipsel.elf, 5421.1.000056394708f000.0000563947116000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: mipsel.elf, 5421.1.000056394708f000.0000563947116000.rw-.sdmpBinary or memory string: G9V!/etc/qemu-binfmt/mipsel
Source: mipsel.elf, 5421.1.00007ffcd761d000.00007ffcd763e000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mipsel.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mipsel.elf
Source: mipsel.elf, 5421.1.00007ffcd761d000.00007ffcd763e000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: iranistrash.libre

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1616712 Sample: mipsel.elf Startdate: 17/02/2025 Architecture: LINUX Score: 60 16 iranistrash.libre 2->16 18 103.35.190.176, 5000, 52752 VECTANTARTERIANetworksCorporationJP Japan 2->18 20 2 other IPs or domains 2->20 22 Multi AV Scanner detection for submitted file 2->22 8 mipsel.elf 2->8         started        signatures3 24 Performs DNS TXT record lookups 16->24 process4 signatures5 26 Sample deletes itself 8->26 11 mipsel.elf 8->11         started        process6 signatures7 28 Opens /sys/class/net/* files useful for querying network interface information 11->28 14 mipsel.elf 11->14         started        process8

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
mipsel.elf21%VirustotalBrowse
mipsel.elf14%ReversingLabsLinux.Backdoor.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high
    iranistrash.libre
    		unknown
    		unknownfalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      103.35.190.176
      		unknownJapan2519VECTANTARTERIANetworksCorporationJPfalse
      172.217.192.127
      		unknownUnited States
      		15169GOOGLEUSfalse

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      103.35.190.176sh4.elfGet hashmaliciousUnknownBrowse
        armv4l.elfGet hashmaliciousUnknownBrowse
          sparc.elfGet hashmaliciousUnknownBrowse
            mips.elfGet hashmaliciousUnknownBrowse
              mipsel.elfGet hashmaliciousUnknownBrowse

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                daisy.ubuntu.comarmv6l.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25
                armv5l.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25
                main_mpsl.elfGet hashmaliciousMiraiBrowse
                • 162.213.35.25
                xxxx.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25
                sysinfo.elfGet hashmaliciousSliverBrowse
                • 162.213.35.25
                hide.m68k.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25
                hide.mpsl.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.24
                hide.arm6.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                VECTANTARTERIANetworksCorporationJPsh4.elfGet hashmaliciousUnknownBrowse
                • 103.35.190.176
                armv4l.elfGet hashmaliciousUnknownBrowse
                • 36.3.233.191
                armv6l.elfGet hashmaliciousUnknownBrowse
                • 122.223.93.2
                Owari.arm.elfGet hashmaliciousUnknownBrowse
                • 203.114.9.204
                res.mips.elfGet hashmaliciousUnknownBrowse
                • 220.158.51.57
                jade.sh4.elfGet hashmaliciousMiraiBrowse
                • 36.2.53.56
                Fantazy.sh4.elfGet hashmaliciousMiraiBrowse
                • 157.14.200.76
                x86.elfGet hashmaliciousMirai, MoobotBrowse
                • 157.14.224.29
                Fantazy.mips.elfGet hashmaliciousUnknownBrowse
                • 202.241.163.130
                jackmyx86.elfGet hashmaliciousMiraiBrowse
                • 157.14.224.72

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                Entropy (8bit):5.456488999106726
                TrID:
                • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                File name:mipsel.elf
                File size:92'288 bytes
                MD5:fbad21895af9eb439d58aac92ab0a0b9
                SHA1:ffeb12903447a54b04529b607d43d23490e956a1
                SHA256:62ffefdd46f5f0bd15fd87927fc6a55a17d6477c56f6cc72b42d47b4459759ab
                SHA512:cce16706defddeaaaca2bba3a8288aaeb875b3a7c4f72afea74eb9dd992cb24a6e4e5ec3d9aa4508a739a9dea35939260c16dc3def8835548d6a0166eaaf55a2
                SSDEEP:1536:6idLX62Ke17M6j66dbq18uY0ZOYddueWPEgGgwVOPWKwjh7L:6obh7My66dbqioOYSHvm
                TLSH:A193D605BF510FB7E86FCD374AE91B02158D961A22A97F367E34DC18F64B64B09E3860
                File Content Preview:.ELF....................`.@.4....f......4. ...(...............@...@..[...[...............`...`E..`E.T...$...........Q.td...............................<<..'!......'.......................<...'!... .........9'.. ........................<...'!...........@S9

                Static ELF Info

                ELF header

                Class:ELF32
                Data:2's complement, little endian
                Version:1 (current)
                Machine:MIPS R3000
                Version Number:0x1
                Type:EXEC (Executable file)
                OS/ABI:UNIX - System V
                ABI Version:0
                Entry Point Address:0x400260
                Flags:0x1007
                ELF Header Size:52
                Program Header Offset:52
                Program Header Size:32
                Number of Program Headers:3
                Section Header Offset:91808
                Section Header Size:40
                Number of Section Headers:12
                Header String Table Index:11

                Sections

                NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                NULL0x00x00x00x00x0000
                .initPROGBITS0x4000940x940x8c0x00x6AX004
                .textPROGBITS0x4001200x1200x152900x00x6AX0016
                .finiPROGBITS0x4153b00x153b00x5c0x00x6AX004
                .rodataPROGBITS0x4154100x154100x7d00x00x2A0016
                .ctorsPROGBITS0x4560000x160000x80x00x3WA004
                .dtorsPROGBITS0x4560080x160080x80x00x3WA004
                .dataPROGBITS0x4560200x160200x1b80x00x3WA0016
                .gotPROGBITS0x4561e00x161e00x4740x40x10000003WAp0016
                .sbssNOBITS0x4566540x166540x80x00x10000003WAp004
                .bssNOBITS0x4566600x166540x14c40x00x3WA0016
                .shstrtabSTRTAB0x00x166540x490x00x0001

                Program Segments

                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                LOAD0x00x4000000x4000000x15be00x15be05.51680x5R E0x10000.init .text .fini .rodata
                LOAD0x160000x4560000x4560000x6540x1b243.57950x6RW 0x10000.ctors .dtors .data .got .sbss .bss
                GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                Network Behavior

                Download Network PCAP: filteredfull

                Network Port Distribution

                • Total Packets: 10
                • 5000 undefined
                • 53 (DNS)
                TimestampSource PortDest PortSource IPDest IP
                Feb 17, 2025 06:48:09.922193050 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:48:09.927046061 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:48:09.927180052 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:48:09.927506924 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:48:09.932286024 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:48:10.371826887 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:48:10.372008085 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:49:10.430670977 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:49:10.435534954 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:50:10.491786003 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:50:10.496802092 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:50:10.587393045 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:50:10.587630987 CET527525000192.168.2.13103.35.190.176
                TimestampSource PortDest PortSource IPDest IP
                Feb 17, 2025 06:48:09.253189087 CET179363478192.168.2.13172.217.192.127
                Feb 17, 2025 06:48:09.817883968 CET347817936172.217.192.127192.168.2.13
                Feb 17, 2025 06:48:09.901693106 CET5233753192.168.2.13202.61.197.122
                Feb 17, 2025 06:48:09.919692039 CET5352337202.61.197.122192.168.2.13
                Feb 17, 2025 06:48:11.284235954 CET6023553192.168.2.131.1.1.1
                Feb 17, 2025 06:48:11.284301043 CET3557853192.168.2.131.1.1.1
                Feb 17, 2025 06:48:11.291095018 CET53355781.1.1.1192.168.2.13
                Feb 17, 2025 06:48:11.291426897 CET53602351.1.1.1192.168.2.13

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Feb 17, 2025 06:48:09.901693106 CET192.168.2.13202.61.197.1220x68daStandard query (0)iranistrash.libre16IN (0x0001)false
                Feb 17, 2025 06:48:11.284235954 CET192.168.2.131.1.1.10x8b0bStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                Feb 17, 2025 06:48:11.284301043 CET192.168.2.131.1.1.10xd26Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Feb 17, 2025 06:48:09.919692039 CET202.61.197.122192.168.2.130x68daNo error (0)iranistrash.libreTXT (Text strings)IN (0x0001)false
                Feb 17, 2025 06:48:11.291426897 CET1.1.1.1192.168.2.130x8b0bNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                Feb 17, 2025 06:48:11.291426897 CET1.1.1.1192.168.2.130x8b0bNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                System Behavior

                General

                Start time (UTC):05:48:07
                Start date (UTC):17/02/2025
                Path:/tmp/mipsel.elf
                Arguments:/tmp/mipsel.elf
                File size:5773336 bytes
                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                File Activities

                Process Activities

                System Activities

                Network Activities


                General

                Start time (UTC):05:48:08
                Start date (UTC):17/02/2025
                Path:/tmp/mipsel.elf
                Arguments:-
                File size:5773336 bytes
                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                File Activities

                Process Activities

                System Activities

                Network Activities


                General

                Start time (UTC):05:48:09
                Start date (UTC):17/02/2025
                Path:/tmp/mipsel.elf
                Arguments:-
                File size:5773336 bytes
                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                Process Activities

                Network Activities