Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
linux.elf

Overview

General Information

Sample name:linux.elf
Analysis ID:1634737
MD5:e370d79026d94243db66daeaf168bca7
SHA1:10f2d052d36fa69d5c6a28973d21ce8525b746e7
SHA256:f56d3ceec8434816b180cc304eeab82ff6dd6f85e21bd2d98a415a1c94e9580d
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1634737
Start date and time:2025-03-11 04:12:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 17s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:linux.elf
Detection:MAL
Classification:mal48.linELF@0/0@2/0

Runtime Messages

Command:/tmp/linux.elf
PID:5431
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • linux.elf (PID: 5431, Parent: 5354, MD5: e370d79026d94243db66daeaf168bca7) Arguments: /tmp/linux.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: linux.elfVirustotal: Detection: 17%Perma Link
Source: linux.elfReversingLabs: Detection: 13%
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: LOAD without section mappingsProgram segment: 0x400000
Source: classification engineClassification label: mal48.linELF@0/0@2/0
Source: linux.elfSubmission file: segment LOAD with 7.627 entropy (max. 8.0)
Source: linux.elfSubmission file: segment LOAD with 7.9422 entropy (max. 8.0)

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634737 Sample: linux.elf Startdate: 11/03/2025 Architecture: LINUX Score: 48 8 daisy.ubuntu.com 2->8 10 Multi AV Scanner detection for submitted file 2->10 6 linux.elf 2->6         started        signatures3 process4

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
linux.elf17%VirustotalBrowse
linux.elf13%ReversingLabsLinux.Trojan.Generic

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.commorte.arm6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    nabarm6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    bin.sh.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    debug.dbg.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    boatnet.spc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    .i.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    sshd.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    mpsl.elfGet hashmaliciousMirai, MoobotBrowse
    • 162.213.35.24
    arm5.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    arm6.elfGet hashmaliciousMirai, MoobotBrowse
    • 162.213.35.24

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
    Entropy (8bit):7.942196949921144
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:linux.elf
    File size:915'136 bytes
    MD5:e370d79026d94243db66daeaf168bca7
    SHA1:10f2d052d36fa69d5c6a28973d21ce8525b746e7
    SHA256:f56d3ceec8434816b180cc304eeab82ff6dd6f85e21bd2d98a415a1c94e9580d
    SHA512:6afa086d3bf454bbc4be0517d022d3242f098c37d6b0c9f4dc34bb20ca9cdc032099c8979bc1afec28035eecb69cd6a524199fd0e18292314a32dea7af1bd408
    SSDEEP:24576:g0LXDY6hVwCBPq34s+hAjiy+tLTli+7E3R6w8R:gSTThuIhuiywLRV7G6w8R
    TLSH:CC1523B05F52149929B3DABBF339635E3258FA1AB1FEAFDB6934147E001CD017E5A009
    File Content Preview:.ELF..............>.....x.......@...................@.8...........................@.......@...............|.............................................>V$.....>V$.............Q.td....................................................#...UPX!..........W..4T

    Static ELF Info

    ELF header

    Class:ELF64
    Data:2's complement, little endian
    Version:1 (current)
    Machine:Advanced Micro Devices X86-64
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0xe0db78
    Flags:0x0
    ELF Header Size:64
    Program Header Offset:64
    Program Header Size:56
    Number of Program Headers:3
    Section Header Offset:0
    Section Header Size:0
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x10000x7c87b07.62700x6RW 0x1000
    LOAD0x00xbc90000xbc90000x24563e0x24563e7.94220x5R E0x1000
    GNU_STACK0x00x00x00x00x00.00000x6RW 0x10

    Network Behavior

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Mar 11, 2025 04:12:50.764801979 CET5653353192.168.2.138.8.8.8
    Mar 11, 2025 04:12:50.764874935 CET5278753192.168.2.138.8.8.8
    Mar 11, 2025 04:12:50.771126032 CET53565338.8.8.8192.168.2.13
    Mar 11, 2025 04:12:50.771202087 CET53527878.8.8.8192.168.2.13

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Mar 11, 2025 04:12:50.764801979 CET192.168.2.138.8.8.80x2f3aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Mar 11, 2025 04:12:50.764874935 CET192.168.2.138.8.8.80xc02Standard query (0)daisy.ubuntu.com28IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 11, 2025 04:12:50.771126032 CET8.8.8.8192.168.2.130x2f3aNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Mar 11, 2025 04:12:50.771126032 CET8.8.8.8192.168.2.130x2f3aNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):03:12:48
    Start date (UTC):11/03/2025
    Path:/tmp/linux.elf
    Arguments:/tmp/linux.elf
    File size:915136 bytes
    MD5 hash:e370d79026d94243db66daeaf168bca7