Edit tour

Linux Analysis Report
mipsel.elf

Overview

General Information

Sample name:mipsel.elf
Analysis ID:1616712
MD5:fbad21895af9eb439d58aac92ab0a0b9
SHA1:ffeb12903447a54b04529b607d43d23490e956a1
SHA256:62ffefdd46f5f0bd15fd87927fc6a55a17d6477c56f6cc72b42d47b4459759ab
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1616712
Start date and time:2025-02-17 06:47:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:mipsel.elf
Detection:MAL
Classification:mal60.spyw.evad.linELF@0/0@3/0
Command:/tmp/mipsel.elf
PID:5421
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Firmware update in progress
Standard Error:
  • system is lnxubuntu20
  • mipsel.elf (PID: 5421, Parent: 5343, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mipsel.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: mipsel.elfVirustotal: Detection: 20%Perma Link
Source: mipsel.elfReversingLabs: Detection: 13%

Networking

barindex
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/Jump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/lo/addressJump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/ens160/addressJump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/ens160/flagsJump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Opens: /sys/class/net/ens160/carrierJump to behavior
Source: global trafficTCP traffic: 192.168.2.13:52752 -> 103.35.190.176:5000
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownUDP traffic detected without corresponding DNS query: 172.217.192.127
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: iranistrash.libre
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal60.spyw.evad.linELF@0/0@3/0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/mipsel.elf (PID: 5421)File: /tmp/mipsel.elfJump to behavior
Source: /tmp/mipsel.elf (PID: 5421)Queries kernel information via 'uname': Jump to behavior
Source: /tmp/mipsel.elf (PID: 5423)Queries kernel information via 'uname': Jump to behavior
Source: mipsel.elf, 5421.1.000056394708f000.0000563947116000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: mipsel.elf, 5421.1.000056394708f000.0000563947116000.rw-.sdmpBinary or memory string: G9V!/etc/qemu-binfmt/mipsel
Source: mipsel.elf, 5421.1.00007ffcd761d000.00007ffcd763e000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mipsel.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mipsel.elf
Source: mipsel.elf, 5421.1.00007ffcd761d000.00007ffcd763e000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: iranistrash.libre
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1616712 Sample: mipsel.elf Startdate: 17/02/2025 Architecture: LINUX Score: 60 16 iranistrash.libre 2->16 18 103.35.190.176, 5000, 52752 VECTANTARTERIANetworksCorporationJP Japan 2->18 20 2 other IPs or domains 2->20 22 Multi AV Scanner detection for submitted file 2->22 8 mipsel.elf 2->8         started        signatures3 24 Performs DNS TXT record lookups 16->24 process4 signatures5 26 Sample deletes itself 8->26 11 mipsel.elf 8->11         started        process6 signatures7 28 Opens /sys/class/net/* files useful for querying network interface information 11->28 14 mipsel.elf 11->14         started        process8

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
mipsel.elf21%VirustotalBrowse
mipsel.elf14%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    iranistrash.libre
    unknown
    unknownfalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      103.35.190.176
      unknownJapan2519VECTANTARTERIANetworksCorporationJPfalse
      172.217.192.127
      unknownUnited States
      15169GOOGLEUSfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      103.35.190.176sh4.elfGet hashmaliciousUnknownBrowse
        armv4l.elfGet hashmaliciousUnknownBrowse
          sparc.elfGet hashmaliciousUnknownBrowse
            mips.elfGet hashmaliciousUnknownBrowse
              mipsel.elfGet hashmaliciousUnknownBrowse
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                daisy.ubuntu.comarmv6l.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25
                armv5l.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25
                main_mpsl.elfGet hashmaliciousMiraiBrowse
                • 162.213.35.25
                xxxx.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25
                sysinfo.elfGet hashmaliciousSliverBrowse
                • 162.213.35.25
                hide.m68k.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25
                hide.mpsl.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.24
                hide.arm6.elfGet hashmaliciousUnknownBrowse
                • 162.213.35.25
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                VECTANTARTERIANetworksCorporationJPsh4.elfGet hashmaliciousUnknownBrowse
                • 103.35.190.176
                armv4l.elfGet hashmaliciousUnknownBrowse
                • 36.3.233.191
                armv6l.elfGet hashmaliciousUnknownBrowse
                • 122.223.93.2
                Owari.arm.elfGet hashmaliciousUnknownBrowse
                • 203.114.9.204
                res.mips.elfGet hashmaliciousUnknownBrowse
                • 220.158.51.57
                jade.sh4.elfGet hashmaliciousMiraiBrowse
                • 36.2.53.56
                Fantazy.sh4.elfGet hashmaliciousMiraiBrowse
                • 157.14.200.76
                x86.elfGet hashmaliciousMirai, MoobotBrowse
                • 157.14.224.29
                Fantazy.mips.elfGet hashmaliciousUnknownBrowse
                • 202.241.163.130
                jackmyx86.elfGet hashmaliciousMiraiBrowse
                • 157.14.224.72
                No context
                No context
                No created / dropped files found
                File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                Entropy (8bit):5.456488999106726
                TrID:
                • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                File name:mipsel.elf
                File size:92'288 bytes
                MD5:fbad21895af9eb439d58aac92ab0a0b9
                SHA1:ffeb12903447a54b04529b607d43d23490e956a1
                SHA256:62ffefdd46f5f0bd15fd87927fc6a55a17d6477c56f6cc72b42d47b4459759ab
                SHA512:cce16706defddeaaaca2bba3a8288aaeb875b3a7c4f72afea74eb9dd992cb24a6e4e5ec3d9aa4508a739a9dea35939260c16dc3def8835548d6a0166eaaf55a2
                SSDEEP:1536:6idLX62Ke17M6j66dbq18uY0ZOYddueWPEgGgwVOPWKwjh7L:6obh7My66dbqioOYSHvm
                TLSH:A193D605BF510FB7E86FCD374AE91B02158D961A22A97F367E34DC18F64B64B09E3860
                File Content Preview:.ELF....................`.@.4....f......4. ...(...............@...@..[...[...............`...`E..`E.T...$...........Q.td...............................<<..'!......'.......................<...'!... .........9'.. ........................<...'!...........@S9

                ELF header

                Class:ELF32
                Data:2's complement, little endian
                Version:1 (current)
                Machine:MIPS R3000
                Version Number:0x1
                Type:EXEC (Executable file)
                OS/ABI:UNIX - System V
                ABI Version:0
                Entry Point Address:0x400260
                Flags:0x1007
                ELF Header Size:52
                Program Header Offset:52
                Program Header Size:32
                Number of Program Headers:3
                Section Header Offset:91808
                Section Header Size:40
                Number of Section Headers:12
                Header String Table Index:11
                NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                NULL0x00x00x00x00x0000
                .initPROGBITS0x4000940x940x8c0x00x6AX004
                .textPROGBITS0x4001200x1200x152900x00x6AX0016
                .finiPROGBITS0x4153b00x153b00x5c0x00x6AX004
                .rodataPROGBITS0x4154100x154100x7d00x00x2A0016
                .ctorsPROGBITS0x4560000x160000x80x00x3WA004
                .dtorsPROGBITS0x4560080x160080x80x00x3WA004
                .dataPROGBITS0x4560200x160200x1b80x00x3WA0016
                .gotPROGBITS0x4561e00x161e00x4740x40x10000003WAp0016
                .sbssNOBITS0x4566540x166540x80x00x10000003WAp004
                .bssNOBITS0x4566600x166540x14c40x00x3WA0016
                .shstrtabSTRTAB0x00x166540x490x00x0001
                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                LOAD0x00x4000000x4000000x15be00x15be05.51680x5R E0x10000.init .text .fini .rodata
                LOAD0x160000x4560000x4560000x6540x1b243.57950x6RW 0x10000.ctors .dtors .data .got .sbss .bss
                GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                Download Network PCAP: filteredfull

                • Total Packets: 10
                • 5000 undefined
                • 53 (DNS)
                TimestampSource PortDest PortSource IPDest IP
                Feb 17, 2025 06:48:09.922193050 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:48:09.927046061 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:48:09.927180052 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:48:09.927506924 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:48:09.932286024 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:48:10.371826887 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:48:10.372008085 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:49:10.430670977 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:49:10.435534954 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:50:10.491786003 CET527525000192.168.2.13103.35.190.176
                Feb 17, 2025 06:50:10.496802092 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:50:10.587393045 CET500052752103.35.190.176192.168.2.13
                Feb 17, 2025 06:50:10.587630987 CET527525000192.168.2.13103.35.190.176
                TimestampSource PortDest PortSource IPDest IP
                Feb 17, 2025 06:48:09.253189087 CET179363478192.168.2.13172.217.192.127
                Feb 17, 2025 06:48:09.817883968 CET347817936172.217.192.127192.168.2.13
                Feb 17, 2025 06:48:09.901693106 CET5233753192.168.2.13202.61.197.122
                Feb 17, 2025 06:48:09.919692039 CET5352337202.61.197.122192.168.2.13
                Feb 17, 2025 06:48:11.284235954 CET6023553192.168.2.131.1.1.1
                Feb 17, 2025 06:48:11.284301043 CET3557853192.168.2.131.1.1.1
                Feb 17, 2025 06:48:11.291095018 CET53355781.1.1.1192.168.2.13
                Feb 17, 2025 06:48:11.291426897 CET53602351.1.1.1192.168.2.13
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Feb 17, 2025 06:48:09.901693106 CET192.168.2.13202.61.197.1220x68daStandard query (0)iranistrash.libre16IN (0x0001)false
                Feb 17, 2025 06:48:11.284235954 CET192.168.2.131.1.1.10x8b0bStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                Feb 17, 2025 06:48:11.284301043 CET192.168.2.131.1.1.10xd26Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Feb 17, 2025 06:48:09.919692039 CET202.61.197.122192.168.2.130x68daNo error (0)iranistrash.libreTXT (Text strings)IN (0x0001)false
                Feb 17, 2025 06:48:11.291426897 CET1.1.1.1192.168.2.130x8b0bNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                Feb 17, 2025 06:48:11.291426897 CET1.1.1.1192.168.2.130x8b0bNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                System Behavior

                Start time (UTC):05:48:07
                Start date (UTC):17/02/2025
                Path:/tmp/mipsel.elf
                Arguments:/tmp/mipsel.elf
                File size:5773336 bytes
                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                Start time (UTC):05:48:09
                Start date (UTC):17/02/2025
                Path:/tmp/mipsel.elf
                Arguments:-
                File size:5773336 bytes
                MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9