Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
gigab.ppc.elf

Overview

General Information

Sample name:gigab.ppc.elf
Analysis ID:1641065
MD5:99bf706aa48a7ef607cea07998592d02
SHA1:33feab4f9576d2287f51293db9f8c761d3506fa6
SHA256:cac8ea59506616dbbc58c41523aba455c6da17df61ef590e9cd6e4532f63107b
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1641065
Start date and time:2025-03-18 02:25:20 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gigab.ppc.elf
Detection:MAL
Classification:mal48.linELF@0/0@2/0

Runtime Messages

Command:/tmp/gigab.ppc.elf
PID:5487
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • gigab.ppc.elf (PID: 5487, Parent: 5408, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/gigab.ppc.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: gigab.ppc.elfVirustotal: Detection: 15%Perma Link
Source: gigab.ppc.elfReversingLabs: Detection: 25%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal48.linELF@0/0@2/0
Source: /tmp/gigab.ppc.elf (PID: 5487)Queries kernel information via 'uname': Jump to behavior
Source: gigab.ppc.elf, 5487.1.000055aa19af1000.000055aa19b80000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: gigab.ppc.elf, 5487.1.000055aa19af1000.000055aa19b80000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
Source: gigab.ppc.elf, 5487.1.00007ffcb16ea000.00007ffcb170b000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc
Source: gigab.ppc.elf, 5487.1.00007ffcb16ea000.00007ffcb170b000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-ppc/tmp/gigab.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gigab.ppc.elf
Source: gigab.ppc.elf, 5487.1.00007ffcb16ea000.00007ffcb170b000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1641065 Sample: gigab.ppc.elf Startdate: 18/03/2025 Architecture: LINUX Score: 48 8 daisy.ubuntu.com 2->8 10 Multi AV Scanner detection for submitted file 2->10 6 gigab.ppc.elf 2->6         started        signatures3 process4

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
gigab.ppc.elf15%VirustotalBrowse
gigab.ppc.elf25%ReversingLabsLinux.Backdoor.Gafgyt

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comsshd.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    .i.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    .i.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    arm6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    arm7.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    sshd.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    mips.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    arm7.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    hgfs.ppc.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, missing section headers at 83216
    Entropy (8bit):6.077053231731747
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:gigab.ppc.elf
    File size:77'927 bytes
    MD5:99bf706aa48a7ef607cea07998592d02
    SHA1:33feab4f9576d2287f51293db9f8c761d3506fa6
    SHA256:cac8ea59506616dbbc58c41523aba455c6da17df61ef590e9cd6e4532f63107b
    SHA512:08cc18bb4c574af379d5fc984b18c557e0d92f260796ad0527927098229023d5ca2411e9e575a284d3ac73d8612a546d648fceb3284d3b0abb5b88899f5a1181
    SSDEEP:768:698EQ1xY/2AiuZpOjaLhZICBghH0ixgt45K4YueCGDGlBhbaLWa4ObXsVg4YAO9e:IikEMSCBghH0eKHjqdbcgssVgCOtCbiI
    TLSH:2E73298797190787DDD78AF03D3F37E1D3AE99A020F48585250EAB8647B3E311112F9A
    File Content Preview:.ELF...........................4..B......4. ...(......................3D..3D..............3D..3D..3D......s...............3...3...3.................dt.Q.............................!..|......$H...H..=...$8!. |...N.. .!..|.......?.........6|..../...@..`= .

    Network Behavior

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Mar 18, 2025 02:26:20.371197939 CET3609253192.168.2.131.1.1.1
    Mar 18, 2025 02:26:20.371197939 CET4153053192.168.2.131.1.1.1
    Mar 18, 2025 02:26:20.377939939 CET53415301.1.1.1192.168.2.13
    Mar 18, 2025 02:26:20.378514051 CET53360921.1.1.1192.168.2.13

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Mar 18, 2025 02:26:20.371197939 CET192.168.2.131.1.1.10xbe2cStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Mar 18, 2025 02:26:20.371197939 CET192.168.2.131.1.1.10xa436Standard query (0)daisy.ubuntu.com28IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 18, 2025 02:26:20.378514051 CET1.1.1.1192.168.2.130xbe2cNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
    Mar 18, 2025 02:26:20.378514051 CET1.1.1.1192.168.2.130xbe2cNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):01:26:18
    Start date (UTC):18/03/2025
    Path:/tmp/gigab.ppc.elf
    Arguments:/tmp/gigab.ppc.elf
    File size:5388968 bytes
    MD5 hash:ae65271c943d3451b7f026d1fadccea6

    File Activities

    Process Activities

    System Activities