Edit tour

Linux Analysis Report
gigab.arm5.elf

Overview

General Information

Sample name:gigab.arm5.elf
Analysis ID:1641090
MD5:cdedb6e173aace93f8968069dcae4515
SHA1:6c220de796c3ae9b91a274b8455c363ad47cf766
SHA256:309db239b27594f1f25085bc2c7d86af70754ea3751c3f43ceeabf98465dd6c4
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Detected TCP or UDP traffic on non-standard ports
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1641090
Start date and time:2025-03-18 02:50:22 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 3s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gigab.arm5.elf
Detection:MAL
Classification:mal60.spre.linELF@0/0@2/0
Command:/tmp/gigab.arm5.elf
PID:5431
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: gigab.arm5.elfAvira: detected
Source: gigab.arm5.elfReversingLabs: Detection: 41%

Spreading

barindex
Source: /tmp/gigab.arm5.elf (PID: 5431)Opens: /proc/net/routeJump to behavior
Source: global trafficTCP traffic: 192.168.2.13:37998 -> 37.44.238.66:666
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal60.spre.linELF@0/0@2/0
Source: /tmp/gigab.arm5.elf (PID: 5431)Queries kernel information via 'uname': Jump to behavior
Source: gigab.arm5.elf, 5431.1.0000563f0fd23000.0000563f0fe51000.rw-.sdmp, gigab.arm5.elf, 5433.1.0000563f0fd23000.0000563f0fe51000.rw-.sdmpBinary or memory string: ?V!/etc/qemu-binfmt/arm
Source: gigab.arm5.elf, 5431.1.00007ffed9e31000.00007ffed9e52000.rw-.sdmp, gigab.arm5.elf, 5433.1.00007ffed9e31000.00007ffed9e52000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/gigab.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gigab.arm5.elf
Source: gigab.arm5.elf, 5431.1.0000563f0fd23000.0000563f0fe51000.rw-.sdmp, gigab.arm5.elf, 5433.1.0000563f0fd23000.0000563f0fe51000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: gigab.arm5.elf, 5431.1.00007ffed9e31000.00007ffed9e52000.rw-.sdmp, gigab.arm5.elf, 5433.1.00007ffed9e31000.00007ffed9e52000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Remote System Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1641090 Sample: gigab.arm5.elf Startdate: 18/03/2025 Architecture: LINUX Score: 60 15 37.44.238.66, 37998, 666 HARMONYHOSTING-ASFR France 2->15 17 daisy.ubuntu.com 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 8 gigab.arm5.elf 2->8         started        signatures3 process4 signatures5 23 Opens /proc/net/* files useful for finding connected devices and routers 8->23 11 gigab.arm5.elf 8->11         started        process6 process7 13 gigab.arm5.elf 11->13         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
gigab.arm5.elf42%ReversingLabsLinux.Backdoor.Gafgyt
gigab.arm5.elf100%AviraLINUX/Gafgyt.opnd
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    37.44.238.66
    unknownFrance
    49434HARMONYHOSTING-ASFRfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    37.44.238.66gigab.mips.elfGet hashmaliciousUnknownBrowse
      gigab.mips.elfGet hashmaliciousGafgytBrowse
        gigab.spc.elfGet hashmaliciousGafgytBrowse
          gigab.arm5.elfGet hashmaliciousGafgytBrowse
            gigab.arm4.elfGet hashmaliciousGafgytBrowse
              gigab.x86.elfGet hashmaliciousGafgytBrowse
                gigab.ppc.elfGet hashmaliciousGafgytBrowse
                  gigab.sh4.elfGet hashmaliciousGafgytBrowse
                    gigab.arm4t.elfGet hashmaliciousGafgytBrowse
                      gigab.i686.elfGet hashmaliciousGafgytBrowse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comsync.x86.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        resgod.x86.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        gigab.ppc.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        sshd.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        .i.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        .i.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        arm6.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        arm7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        sshd.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        mips.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HARMONYHOSTING-ASFRgigab.mips.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        l7vmra.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.92
                        gigab.mips.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.spc.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.arm5.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.arm4.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.x86.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.ppc.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.sh4.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.arm4t.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        No context
                        No context
                        No created / dropped files found
                        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
                        Entropy (8bit):5.83048850551615
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:gigab.arm5.elf
                        File size:140'191 bytes
                        MD5:cdedb6e173aace93f8968069dcae4515
                        SHA1:6c220de796c3ae9b91a274b8455c363ad47cf766
                        SHA256:309db239b27594f1f25085bc2c7d86af70754ea3751c3f43ceeabf98465dd6c4
                        SHA512:da25cc5f050b4b8bce879d9321b86b161efa12e6f36515ff9181edaf1bfd2b246adcadfa70b21f2777c5d03a283dcfaab96dfaf951bf0b071a3297943a5fb50f
                        SSDEEP:3072:jj+Ya9CVjXAl6XbUhuN9HC2RwZV7qA/IcQYQDHO:eYa9CVjwlThuNFC2RwZV7NI4QDu
                        TLSH:ABD31909D7404B57C1E2237AF7DB824933339B64A3E733159938ABF43BC2BA95E26115
                        File Content Preview:.ELF..............(.........4...........4. ...(........p.^.......... ... ...........................8_..8_...............`...`...`...... t...............`...`...`..................Q.td..................................-...L..................G.F.G.F.G.F.G.

                        Download Network PCAP: filteredfull

                        • Total Packets: 13
                        • 666 undefined
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 18, 2025 02:51:09.083825111 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:51:09.088639975 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:51:09.088702917 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:51:09.089848042 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:51:09.094667912 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:51:11.392788887 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:51:11.392929077 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:51:11.541948080 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:51:11.542069912 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:52:11.455738068 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:52:11.455832958 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:52:11.605334997 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:52:11.605432987 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:53:11.415857077 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:53:11.416078091 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:53:11.575227976 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:53:11.575331926 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:54:11.428652048 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:54:11.428996086 CET37998666192.168.2.1337.44.238.66
                        Mar 18, 2025 02:54:11.576487064 CET6663799837.44.238.66192.168.2.13
                        Mar 18, 2025 02:54:11.576706886 CET37998666192.168.2.1337.44.238.66
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 18, 2025 02:53:55.122515917 CET5179853192.168.2.131.1.1.1
                        Mar 18, 2025 02:53:55.122647047 CET4556653192.168.2.131.1.1.1
                        Mar 18, 2025 02:53:55.129199982 CET53455661.1.1.1192.168.2.13
                        Mar 18, 2025 02:53:55.129684925 CET53517981.1.1.1192.168.2.13
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 18, 2025 02:53:55.122515917 CET192.168.2.131.1.1.10xbeafStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 18, 2025 02:53:55.122647047 CET192.168.2.131.1.1.10x88d0Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 18, 2025 02:53:55.129684925 CET1.1.1.1192.168.2.130xbeafNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                        Mar 18, 2025 02:53:55.129684925 CET1.1.1.1192.168.2.130xbeafNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                        System Behavior

                        Start time (UTC):01:51:08
                        Start date (UTC):18/03/2025
                        Path:/tmp/gigab.arm5.elf
                        Arguments:/tmp/gigab.arm5.elf
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):01:51:08
                        Start date (UTC):18/03/2025
                        Path:/tmp/gigab.arm5.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):01:51:08
                        Start date (UTC):18/03/2025
                        Path:/tmp/gigab.arm5.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1