Edit tour

Linux Analysis Report
armv6l.elf

Overview

General Information

Sample name:armv6l.elf
Analysis ID:1616740
MD5:7ab5c62f393c986de1e8584aa11d3756
SHA1:9078a73916a7bb84f2f2a28216992d2b17db40f4
SHA256:522df0217822268161acc987d6b51e7011bef290ba2bbf94a3014de304823756
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1616740
Start date and time:2025-02-17 07:22:27 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:armv6l.elf
Detection:MAL
Classification:mal60.spyw.evad.linELF@0/0@1/0
Command:/tmp/armv6l.elf
PID:6236
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Firmware update in progress
Standard Error:
  • system is lnxubuntu20
  • armv6l.elf (PID: 6236, Parent: 6159, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/armv6l.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: armv6l.elfVirustotal: Detection: 17%Perma Link
Source: armv6l.elfReversingLabs: Detection: 24%

Networking

barindex
Source: /tmp/armv6l.elf (PID: 6240)Opens: /sys/class/net/Jump to behavior
Source: /tmp/armv6l.elf (PID: 6240)Opens: /sys/class/net/ens160/addressJump to behavior
Source: /tmp/armv6l.elf (PID: 6240)Opens: /sys/class/net/ens160/flagsJump to behavior
Source: /tmp/armv6l.elf (PID: 6240)Opens: /sys/class/net/ens160/carrierJump to behavior
Source: global trafficTCP traffic: 192.168.2.23:36476 -> 103.35.190.176:5222
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 103.35.190.176
Source: unknownUDP traffic detected without corresponding DNS query: 172.217.192.127
Source: global trafficDNS traffic detected: DNS query: iranistrash.libre
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal60.spyw.evad.linELF@0/0@1/0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/armv6l.elf (PID: 6236)File: /tmp/armv6l.elfJump to behavior
Source: /tmp/armv6l.elf (PID: 6236)Queries kernel information via 'uname': Jump to behavior
Source: /tmp/armv6l.elf (PID: 6240)Queries kernel information via 'uname': Jump to behavior
Source: armv6l.elf, 6236.1.00007ffe4b921000.00007ffe4b942000.rw-.sdmpBinary or memory string: bx86_64/usr/bin/qemu-arm/tmp/armv6l.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/armv6l.elf
Source: armv6l.elf, 6236.1.0000563c154ab000.0000563c155fa000.rw-.sdmpBinary or memory string: <V!/etc/qemu-binfmt/arm
Source: armv6l.elf, 6236.1.0000563c154ab000.0000563c155fa000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: armv6l.elf, 6236.1.00007ffe4b921000.00007ffe4b942000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: iranistrash.libre
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1616740 Sample: armv6l.elf Startdate: 17/02/2025 Architecture: LINUX Score: 60 16 iranistrash.libre 2->16 18 103.35.190.176, 36476, 5222 VECTANTARTERIANetworksCorporationJP Japan 2->18 20 4 other IPs or domains 2->20 22 Multi AV Scanner detection for submitted file 2->22 8 armv6l.elf 2->8         started        signatures3 24 Performs DNS TXT record lookups 16->24 process4 signatures5 26 Sample deletes itself 8->26 11 armv6l.elf 8->11         started        process6 signatures7 28 Opens /sys/class/net/* files useful for querying network interface information 11->28 14 armv6l.elf 11->14         started        process8
SourceDetectionScannerLabelLink
armv6l.elf17%VirustotalBrowse
armv6l.elf24%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
iranistrash.libre
unknown
unknownfalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    103.35.190.176
    unknownJapan2519VECTANTARTERIANetworksCorporationJPfalse
    109.202.202.202
    unknownSwitzerland
    13030INIT7CHfalse
    172.217.192.127
    unknownUnited States
    15169GOOGLEUSfalse
    91.189.91.43
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    91.189.91.42
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    103.35.190.176mipsel.elfGet hashmaliciousUnknownBrowse
      sh4.elfGet hashmaliciousUnknownBrowse
        armv4l.elfGet hashmaliciousUnknownBrowse
          sparc.elfGet hashmaliciousUnknownBrowse
            mips.elfGet hashmaliciousUnknownBrowse
              mipsel.elfGet hashmaliciousUnknownBrowse
                109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                91.189.91.43i686.elfGet hashmaliciousUnknownBrowse
                  .i.elfGet hashmaliciousUnknownBrowse
                    na.elfGet hashmaliciousUnknownBrowse
                      arc.elfGet hashmaliciousUnknownBrowse
                        sh4.elfGet hashmaliciousUnknownBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            dd.elfGet hashmaliciousUnknownBrowse
                              sparc.elfGet hashmaliciousUnknownBrowse
                                i.elfGet hashmaliciousMiraiBrowse
                                  armv4eb.elfGet hashmaliciousUnknownBrowse
                                    91.189.91.42i686.elfGet hashmaliciousUnknownBrowse
                                      .i.elfGet hashmaliciousUnknownBrowse
                                        na.elfGet hashmaliciousUnknownBrowse
                                          arc.elfGet hashmaliciousUnknownBrowse
                                            sh4.elfGet hashmaliciousUnknownBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                dd.elfGet hashmaliciousUnknownBrowse
                                                  sparc.elfGet hashmaliciousUnknownBrowse
                                                    i.elfGet hashmaliciousMiraiBrowse
                                                      armv4eb.elfGet hashmaliciousUnknownBrowse
                                                        No context
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CANONICAL-ASGBi686.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        .i.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        na.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        arc.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        sh4.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                        • 91.189.91.42
                                                        dd.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        sparc.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        i.elfGet hashmaliciousMiraiBrowse
                                                        • 91.189.91.42
                                                        armv4eb.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        CANONICAL-ASGBi686.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        .i.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        na.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        arc.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        sh4.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                        • 91.189.91.42
                                                        dd.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        sparc.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        i.elfGet hashmaliciousMiraiBrowse
                                                        • 91.189.91.42
                                                        armv4eb.elfGet hashmaliciousUnknownBrowse
                                                        • 91.189.91.42
                                                        INIT7CHi686.elfGet hashmaliciousUnknownBrowse
                                                        • 109.202.202.202
                                                        .i.elfGet hashmaliciousUnknownBrowse
                                                        • 109.202.202.202
                                                        na.elfGet hashmaliciousUnknownBrowse
                                                        • 109.202.202.202
                                                        arc.elfGet hashmaliciousUnknownBrowse
                                                        • 109.202.202.202
                                                        sh4.elfGet hashmaliciousUnknownBrowse
                                                        • 109.202.202.202
                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                        • 109.202.202.202
                                                        dd.elfGet hashmaliciousUnknownBrowse
                                                        • 109.202.202.202
                                                        sparc.elfGet hashmaliciousUnknownBrowse
                                                        • 109.202.202.202
                                                        i.elfGet hashmaliciousMiraiBrowse
                                                        • 109.202.202.202
                                                        armv4eb.elfGet hashmaliciousUnknownBrowse
                                                        • 109.202.202.202
                                                        VECTANTARTERIANetworksCorporationJPmipsel.elfGet hashmaliciousUnknownBrowse
                                                        • 103.35.190.176
                                                        sh4.elfGet hashmaliciousUnknownBrowse
                                                        • 103.35.190.176
                                                        armv4l.elfGet hashmaliciousUnknownBrowse
                                                        • 36.3.233.191
                                                        armv6l.elfGet hashmaliciousUnknownBrowse
                                                        • 122.223.93.2
                                                        Owari.arm.elfGet hashmaliciousUnknownBrowse
                                                        • 203.114.9.204
                                                        res.mips.elfGet hashmaliciousUnknownBrowse
                                                        • 220.158.51.57
                                                        jade.sh4.elfGet hashmaliciousMiraiBrowse
                                                        • 36.2.53.56
                                                        Fantazy.sh4.elfGet hashmaliciousMiraiBrowse
                                                        • 157.14.200.76
                                                        x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                        • 157.14.224.29
                                                        Fantazy.mips.elfGet hashmaliciousUnknownBrowse
                                                        • 202.241.163.130
                                                        No context
                                                        No context
                                                        No created / dropped files found
                                                        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
                                                        Entropy (8bit):6.016196879654756
                                                        TrID:
                                                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                        File name:armv6l.elf
                                                        File size:79'060 bytes
                                                        MD5:7ab5c62f393c986de1e8584aa11d3756
                                                        SHA1:9078a73916a7bb84f2f2a28216992d2b17db40f4
                                                        SHA256:522df0217822268161acc987d6b51e7011bef290ba2bbf94a3014de304823756
                                                        SHA512:a8f3ed5e3303dc0e6bacb79560aebb493938b421fac3e92856976b78dd6874993944922065d867a06919a7888f8cbe5f4c233211bd7b70dc6aef7c48b2823fd0
                                                        SSDEEP:1536:g1nFzm7LVqtfTy6cZsJcSvxb9w8HBTDun0pv2KzbtMNzia4bCOYc:CCpqtfkSzpxNsneYsCOYc
                                                        TLSH:AC7329467D818B55C8D122BAFE2E168E332317B8E3DF72229D105F24778B92B0E77552
                                                        File Content Preview:.ELF..............(.....T...4....2......4. ...(......................(...(...............0...0...0..T....9..........Q.td..................................-...L..................@-.,@...0....S..... 0....S.........../..0...0...@..../.T2.......0....-.@0....S

                                                        ELF header

                                                        Class:ELF32
                                                        Data:2's complement, little endian
                                                        Version:1 (current)
                                                        Machine:ARM
                                                        Version Number:0x1
                                                        Type:EXEC (Executable file)
                                                        OS/ABI:UNIX - System V
                                                        ABI Version:0
                                                        Entry Point Address:0x8154
                                                        Flags:0x4000002
                                                        ELF Header Size:52
                                                        Program Header Offset:52
                                                        Program Header Size:32
                                                        Number of Program Headers:3
                                                        Section Header Offset:78540
                                                        Section Header Size:40
                                                        Number of Section Headers:13
                                                        Header String Table Index:12
                                                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                        NULL0x00x00x00x00x0000
                                                        .initPROGBITS0x80940x940x100x00x6AX004
                                                        .textPROGBITS0x80b00xb00x120380x00x6AX0016
                                                        .finiPROGBITS0x1a0e80x120e80x100x00x6AX004
                                                        .rodataPROGBITS0x1a0f80x120f80x7b40x00x2A004
                                                        .eh_framePROGBITS0x230000x130000x40x00x3WA004
                                                        .init_arrayINIT_ARRAY0x230040x130040x40x00x3WA004
                                                        .fini_arrayFINI_ARRAY0x230080x130080x40x00x3WA004
                                                        .gotPROGBITS0x230100x130100x740x40x3WA004
                                                        .dataPROGBITS0x230840x130840x1d00x00x3WA004
                                                        .bssNOBITS0x232540x132540x375c0x00x3WA004
                                                        .ARM.attributesARM_ATTRIBUTES0x00x132540x100x00x0001
                                                        .shstrtabSTRTAB0x00x132640x670x00x0001
                                                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                        LOAD0x00x80000x80000x128ac0x128ac6.12300x5R E0x8000.init .text .fini .rodata
                                                        LOAD0x130000x230000x230000x2540x39b02.58940x6RW 0x8000.eh_frame .init_array .fini_array .got .data .bss
                                                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                                        Download Network PCAP: filteredfull

                                                        • Total Packets: 13
                                                        • 5222 undefined
                                                        • 443 (HTTPS)
                                                        • 80 (HTTP)
                                                        • 53 (DNS)
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Feb 17, 2025 07:23:14.547003984 CET43928443192.168.2.2391.189.91.42
                                                        Feb 17, 2025 07:23:18.777585030 CET364765222192.168.2.23103.35.190.176
                                                        Feb 17, 2025 07:23:18.782599926 CET522236476103.35.190.176192.168.2.23
                                                        Feb 17, 2025 07:23:18.782766104 CET364765222192.168.2.23103.35.190.176
                                                        Feb 17, 2025 07:23:18.783243895 CET364765222192.168.2.23103.35.190.176
                                                        Feb 17, 2025 07:23:18.788114071 CET522236476103.35.190.176192.168.2.23
                                                        Feb 17, 2025 07:23:19.270961046 CET522236476103.35.190.176192.168.2.23
                                                        Feb 17, 2025 07:23:19.271034956 CET364765222192.168.2.23103.35.190.176
                                                        Feb 17, 2025 07:23:20.177938938 CET42836443192.168.2.2391.189.91.43
                                                        Feb 17, 2025 07:23:21.457935095 CET4251680192.168.2.23109.202.202.202
                                                        Feb 17, 2025 07:23:34.767983913 CET43928443192.168.2.2391.189.91.42
                                                        Feb 17, 2025 07:23:47.054502964 CET42836443192.168.2.2391.189.91.43
                                                        Feb 17, 2025 07:23:51.150002956 CET4251680192.168.2.23109.202.202.202
                                                        Feb 17, 2025 07:24:15.722500086 CET43928443192.168.2.2391.189.91.42
                                                        Feb 17, 2025 07:24:39.329833984 CET364765222192.168.2.23103.35.190.176
                                                        Feb 17, 2025 07:24:39.334880114 CET522236476103.35.190.176192.168.2.23
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Feb 17, 2025 07:23:18.153928041 CET300423478192.168.2.23172.217.192.127
                                                        Feb 17, 2025 07:23:18.712989092 CET347830042172.217.192.127192.168.2.23
                                                        Feb 17, 2025 07:23:18.766768932 CET5104853192.168.2.23195.10.195.195
                                                        Feb 17, 2025 07:23:18.773859978 CET5351048195.10.195.195192.168.2.23
                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Feb 17, 2025 07:23:18.766768932 CET192.168.2.23195.10.195.1950xc3ebStandard query (0)iranistrash.libre16IN (0x0001)false
                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Feb 17, 2025 07:23:18.773859978 CET195.10.195.195192.168.2.230xc3ebNo error (0)iranistrash.libreTXT (Text strings)IN (0x0001)false

                                                        System Behavior

                                                        Start time (UTC):06:23:14
                                                        Start date (UTC):17/02/2025
                                                        Path:/tmp/armv6l.elf
                                                        Arguments:/tmp/armv6l.elf
                                                        File size:4956856 bytes
                                                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                        Start time (UTC):06:23:18
                                                        Start date (UTC):17/02/2025
                                                        Path:/tmp/armv6l.elf
                                                        Arguments:-
                                                        File size:4956856 bytes
                                                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1