Edit tour

Linux Analysis Report
tftp.elf

Overview

General Information

Sample name:tftp.elf
Analysis ID:1617641
MD5:f4900d40d7ec0b733d5dbca2d229f017
SHA1:a32e8080ad2e63d4815615789c9809c15ba0cb40
SHA256:b0f4e96ad8ba65c413e728978585c70c412d4b3e466de6037ffd04a22d96ac56
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1617641
Start date and time:2025-02-18 05:57:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 18s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:tftp.elf
Detection:MAL
Classification:mal48.linELF@0/0@2/0
Command:/tmp/tftp.elf
PID:5435
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • tftp.elf (PID: 5435, Parent: 5359, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/tftp.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: tftp.elfReversingLabs: Detection: 21%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal48.linELF@0/0@2/0
Source: /tmp/tftp.elf (PID: 5435)Queries kernel information via 'uname': Jump to behavior
Source: tftp.elf, 5435.1.000055a50e290000.000055a50e39c000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: tftp.elf, 5435.1.000055a50e290000.000055a50e39c000.rw-.sdmpBinary or memory string: Urg.qemu.gdb.arm.sys.regs">
Source: tftp.elf, 5435.1.000055a50e290000.000055a50e39c000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: tftp.elf, 5435.1.00007ffe288c3000.00007ffe288e4000.rw-.sdmpBinary or memory string: Lx86_64/usr/bin/qemu-arm/tmp/tftp.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tftp.elf
Source: tftp.elf, 5435.1.00007ffe288c3000.00007ffe288e4000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: tftp.elf, 5435.1.000055a50e290000.000055a50e39c000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617641 Sample: tftp.elf Startdate: 18/02/2025 Architecture: LINUX Score: 48 8 daisy.ubuntu.com 2->8 10 Multi AV Scanner detection for submitted file 2->10 6 tftp.elf 2->6         started        signatures3 process4

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
tftp.elf22%ReversingLabsLinux.Trojan.Multiverze
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    high
    No contacted IP infos
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.compftp.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    openssh.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    boatnet.arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    boatnet.spc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    boatnet.arm6.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    boatnet.ppc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    boatnet.arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    na.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    arm5.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    arm6.elfGet hashmaliciousMirai, MoobotBrowse
    • 162.213.35.24
    No context
    No context
    No context
    No created / dropped files found
    File type:ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, missing section headers at 381572
    Entropy (8bit):6.00965914455681
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:tftp.elf
    File size:102'400 bytes
    MD5:f4900d40d7ec0b733d5dbca2d229f017
    SHA1:a32e8080ad2e63d4815615789c9809c15ba0cb40
    SHA256:b0f4e96ad8ba65c413e728978585c70c412d4b3e466de6037ffd04a22d96ac56
    SHA512:4fd0725f631efed8e367bdb4db17791b9373d14388f6d88c116ea1185944a6baf40e1ff386cf1110c6f508af9ccb76883bd59a400cf2ce5facc7c7fe378cae82
    SSDEEP:3072:9LOuh02xHCKQnqZ9YfMXKgyLlBZSyPjYrT:FOuhPHCKsqZ9YfM6g23ZJLYrT
    TLSH:63A30A96F8A28B56C4C557B7FB4FC75637231795E3DF36038A184E34278B50A8E3AA01
    File Content Preview:.ELF..............(.........4...........4. ...(........p.....+...+......................4...4...4...@...@...............t...t...t..............................................................................................................................

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Feb 18, 2025 05:57:57.694001913 CET3592253192.168.2.131.1.1.1
    Feb 18, 2025 05:57:57.694001913 CET4003253192.168.2.131.1.1.1
    Feb 18, 2025 05:57:57.701073885 CET53400321.1.1.1192.168.2.13
    Feb 18, 2025 05:57:57.701173067 CET53359221.1.1.1192.168.2.13
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Feb 18, 2025 05:57:57.694001913 CET192.168.2.131.1.1.10x60d9Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Feb 18, 2025 05:57:57.694001913 CET192.168.2.131.1.1.10x283bStandard query (0)daisy.ubuntu.com28IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Feb 18, 2025 05:57:57.701173067 CET1.1.1.1192.168.2.130x60d9No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
    Feb 18, 2025 05:57:57.701173067 CET1.1.1.1192.168.2.130x60d9No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

    System Behavior

    Start time (UTC):04:57:55
    Start date (UTC):18/02/2025
    Path:/tmp/tftp.elf
    Arguments:/tmp/tftp.elf
    File size:4956856 bytes
    MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1