Edit tour

Linux Analysis Report
ppc.elf

Overview

General Information

Sample name:ppc.elf
Analysis ID:1639686
MD5:a19680d028dc99f7d4d659975f56271a
SHA1:5ecefde20e215ad549563222ceffa29cfd3b5e8a
SHA256:6ced39e6ea59f32ceda144459135a2f61d6fac97d723c88ef7e2fc5c03748cc8
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1639686
Start date and time:2025-03-16 02:44:36 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:ppc.elf
Detection:MAL
Classification:mal48.linELF@0/0@2/0
Command:/tmp/ppc.elf
PID:5460
Exit Code:132
Exit Code Info:SIGILL (4) Illegal Instruction
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 4 (Illegal instruction) - core dumped
  • system is lnxubuntu20
  • ppc.elf (PID: 5460, Parent: 5379, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/ppc.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ppc.elfVirustotal: Detection: 10%Perma Link
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal48.linELF@0/0@2/0
Source: /tmp/ppc.elf (PID: 5460)Queries kernel information via 'uname': Jump to behavior
Source: ppc.elf, 5460.1.0000559d19da8000.0000559d19e37000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: ppc.elf, 5460.1.00007ffe15d4d000.00007ffe15d6e000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-ppc/tmp/ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ppc.elf
Source: ppc.elf, 5460.1.0000559d19da8000.0000559d19e37000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
Source: ppc.elf, 5460.1.00007ffe15d4d000.00007ffe15d6e000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc
Source: ppc.elf, 5460.1.00007ffe15d4d000.00007ffe15d6e000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 4 (Illegal instruction) - core dumped
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639686 Sample: ppc.elf Startdate: 16/03/2025 Architecture: LINUX Score: 48 8 daisy.ubuntu.com 2->8 10 Multi AV Scanner detection for submitted file 2->10 6 ppc.elf 2->6         started        signatures3 process4

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ppc.elf11%VirustotalBrowse
ppc.elf6%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    No contacted IP infos
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.commips.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    arm6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    .i.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    .i.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    .i.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    sshd.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    .i.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    sshd.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    No context
    No context
    No context
    No created / dropped files found
    File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked, not stripped
    Entropy (8bit):5.872554034153908
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:ppc.elf
    File size:111'424 bytes
    MD5:a19680d028dc99f7d4d659975f56271a
    SHA1:5ecefde20e215ad549563222ceffa29cfd3b5e8a
    SHA256:6ced39e6ea59f32ceda144459135a2f61d6fac97d723c88ef7e2fc5c03748cc8
    SHA512:e1170f2a30b86d059094306d41849f788e56a5761e2f66f353485a710a6110c8da3eeba8118db4472a55638837cfdf5eac70f208589a11f129a7036459e76004
    SSDEEP:1536:f8XompQJQvB0SV5uh6/A/EHLa/fEP65EJU2Y/tlV2RqTe+IOAoMtQPENYhx:NmpQJCWL0y5rQVOtPEGhx
    TLSH:98B34902B328449BD6F71FF027AF57F1B77A4A4115B5A282350AA74A4573F322906FCE
    File Content Preview:.ELF...........................4...`.....4. ...(.......................x...x...............p...p...p......IP............................................|......$H...H......$8!. |........!..|.......?..........X........@..`= ..;........+../...A..$....}).....

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Mar 16, 2025 02:45:34.648269892 CET4704253192.168.2.131.1.1.1
    Mar 16, 2025 02:45:34.648333073 CET4741553192.168.2.131.1.1.1
    Mar 16, 2025 02:45:34.655214071 CET53474151.1.1.1192.168.2.13
    Mar 16, 2025 02:45:34.656178951 CET53470421.1.1.1192.168.2.13
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Mar 16, 2025 02:45:34.648269892 CET192.168.2.131.1.1.10xf282Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Mar 16, 2025 02:45:34.648333073 CET192.168.2.131.1.1.10x8432Standard query (0)daisy.ubuntu.com28IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 16, 2025 02:45:34.656178951 CET1.1.1.1192.168.2.130xf282No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Mar 16, 2025 02:45:34.656178951 CET1.1.1.1192.168.2.130xf282No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    Start time (UTC):01:45:32
    Start date (UTC):16/03/2025
    Path:/tmp/ppc.elf
    Arguments:/tmp/ppc.elf
    File size:5388968 bytes
    MD5 hash:ae65271c943d3451b7f026d1fadccea6