Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
.i.elf

Overview

General Information

Sample name:.i.elf
Analysis ID:1636754
MD5:b8dd2dd312c1e8be63d9e50129c0c71c
SHA1:179618f02ff646471ddb9aabf276630c15f634aa
SHA256:99854b860677f2074cc80897edd0b41b1c3b098a051e530e82279cee4a7299c7
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1636754
Start date and time:2025-03-13 03:37:16 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 22s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:.i.elf
Detection:MAL
Classification:mal56.linELF@0/0@2/0

Runtime Messages

Command:/tmp/.i.elf
PID:5504
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • .i.elf (PID: 5504, Parent: 5431, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/.i.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: .i.elfAvira: detected
Source: .i.elfVirustotal: Detection: 50%Perma Link
Source: .i.elfReversingLabs: Detection: 60%
Source: global trafficTCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443
Source: LOAD without section mappingsProgram segment: 0x100000
Source: classification engineClassification label: mal56.linELF@0/0@2/0
Source: .i.elfSubmission file: segment LOAD with 7.9947 entropy (max. 8.0)
Source: /tmp/.i.elf (PID: 5504)Queries kernel information via 'uname': Jump to behavior
Source: .i.elf, 5504.1.00007fff04c57000.00007fff04c78000.rw-.sdmpBinary or memory string: >x86_64/usr/bin/qemu-mips/tmp/.i.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/.i.elf
Source: .i.elf, 5504.1.000056498bb96000.000056498bc1d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: .i.elf, 5504.1.000056498bb96000.000056498bc1d000.rw-.sdmpBinary or memory string: IV!/etc/qemu-binfmt/mips
Source: .i.elf, 5504.1.00007fff04c57000.00007fff04c78000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: .i.elf, 5504.1.00007fff04c57000.00007fff04c78000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636754 Sample: .i.elf Startdate: 13/03/2025 Architecture: LINUX Score: 56 8 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->8 10 daisy.ubuntu.com 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 6 .i.elf 2->6         started        signatures3 process4

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
.i.elf51%VirustotalBrowse
.i.elf61%ReversingLabsLinux.Infostealer.Berbew
.i.elf100%AviraJS/Berbew.qwkst

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    185.125.190.26
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    185.125.190.26na.elfGet hashmaliciousPrometeiBrowse
      na.elfGet hashmaliciousPrometeiBrowse
        NewAge3ATOppc.elfGet hashmaliciousUnknownBrowse
          na.elfGet hashmaliciousPrometeiBrowse
            na.elfGet hashmaliciousPrometeiBrowse
              na.elfGet hashmaliciousPrometeiBrowse
                na.elfGet hashmaliciousPrometeiBrowse
                  FederalmipsAgent.elfGet hashmaliciousMiraiBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      main_arm5.elfGet hashmaliciousMiraiBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comNewAge3ATOsh4.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        NewAge3ATOppc.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        NewAge3ATOm68k.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        3atoNational.spc.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        3atoNational.ppc.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        3atoNational.x86.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        NewAge3ATOspc.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        3atoNational.mpsl.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        3atoNational.mips.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        NewAge3ATOmips.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 185.125.190.26
                        .i.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 185.125.190.26
                        NewAge3ATOppc.elfGet hashmaliciousUnknownBrowse
                        • 185.125.190.26
                        NewAge3ATOmpsl.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        NewAge3ATOx86.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                        Entropy (8bit):7.994675659103161
                        TrID:
                        • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                        • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                        File name:.i.elf
                        File size:45'184 bytes
                        MD5:b8dd2dd312c1e8be63d9e50129c0c71c
                        SHA1:179618f02ff646471ddb9aabf276630c15f634aa
                        SHA256:99854b860677f2074cc80897edd0b41b1c3b098a051e530e82279cee4a7299c7
                        SHA512:e6cd5e3c5bc44ea0557ae02bda38397b78354f790e7c21d7aadb19f880aeecfac3d097af9b61c18228223d2e8f4e4401c383f6235129ad87582a5f46514dfa5e
                        SSDEEP:768:YTYIDfYG6ZmewZ59+Nw1qsREH20j7UNqVwi7M8ghFM04ZTzEsDm1P:yYI0ARqw1qAEW67UIWi7M8gmfml
                        TLSH:C213028236A53F72D52188F4D7BCEFCA614A7D94EFE9181BBC113698B47135C28C981A
                        File Content Preview:.ELF....................../....4.........4. ...(......................Bd..Bd.................G...G.................................................^.......?.E.h4...@b..) ..]..0...a.t<..mc.zy/..>..!c...gM\<j..W`xD'..}...\..].j.L.u...S..i...../..F...@`..'k.

                        Static ELF Info

                        ELF header

                        Class:ELF32
                        Data:2's complement, big endian
                        Version:1 (current)
                        Machine:MIPS R3000
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - System V
                        ABI Version:0
                        Entry Point Address:0x112fe8
                        Flags:0x1007
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:2
                        Section Header Offset:0
                        Section Header Size:40
                        Number of Section Headers:0
                        Header String Table Index:0

                        Program Segments

                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x1000000x1000000x142640x142647.99470x5R E0x10000
                        LOAD0xa6c00x47a6c00x47a6c00x00x00.00000x6RW 0x10000

                        Network Behavior

                        Download Network PCAP: filteredfull

                        Network Port Distribution

                        • Total Packets: 4
                        • 443 (HTTPS)
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 13, 2025 03:38:09.329622030 CET46540443192.168.2.14185.125.190.26
                        Mar 13, 2025 03:38:41.072398901 CET46540443192.168.2.14185.125.190.26
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 13, 2025 03:37:59.838345051 CET4483653192.168.2.141.1.1.1
                        Mar 13, 2025 03:37:59.838381052 CET4152253192.168.2.141.1.1.1
                        Mar 13, 2025 03:37:59.844966888 CET53415221.1.1.1192.168.2.14
                        Mar 13, 2025 03:37:59.845427036 CET53448361.1.1.1192.168.2.14

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 13, 2025 03:37:59.838345051 CET192.168.2.141.1.1.10x827eStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 13, 2025 03:37:59.838381052 CET192.168.2.141.1.1.10x9013Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 13, 2025 03:37:59.845427036 CET1.1.1.1192.168.2.140x827eNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                        Mar 13, 2025 03:37:59.845427036 CET1.1.1.1192.168.2.140x827eNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):02:37:57
                        Start date (UTC):13/03/2025
                        Path:/tmp/.i.elf
                        Arguments:/tmp/.i.elf
                        File size:5777432 bytes
                        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                        File Activities

                        Process Activities

                        System Activities