Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
jkse.arm5.elf

Overview

General Information

Sample name:jkse.arm5.elf
Analysis ID:1643740
MD5:e85e6efb85a2a838580af15d28a91db0
SHA1:084b7882195509869ebbe8707f3d521be70fe208
SHA256:bf8679cbc66ba4ea7b71fac9d2510a2fa8679663f7aa4b1a98099fd11f52147f
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1643740
Start date and time:2025-03-20 03:47:13 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 7s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:jkse.arm5.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0

Runtime Messages

Command:/tmp/jkse.arm5.elf
PID:6242
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Dark bot has been sent!!!
Standard Error:

Process Tree

  • system is lnxubuntu20
  • jkse.arm5.elf (PID: 6242, Parent: 6163, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/jkse.arm5.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: jkse.arm5.elfVirustotal: Detection: 28%Perma Link
Source: jkse.arm5.elfReversingLabs: Detection: 30%
Source: global trafficTCP traffic: 192.168.2.23:38874 -> 196.251.81.246:2223
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.81.246
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.81.246
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.81.246
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.81.246
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /tmp/jkse.arm5.elf (PID: 6242)Queries kernel information via 'uname': Jump to behavior
Source: jkse.arm5.elf, 6242.1.000055827ca0d000.000055827cb3b000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: jkse.arm5.elf, 6242.1.00007ffd85a9e000.00007ffd85abf000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/jkse.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/jkse.arm5.elf
Source: jkse.arm5.elf, 6242.1.000055827ca0d000.000055827cb3b000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: jkse.arm5.elf, 6242.1.00007ffd85a9e000.00007ffd85abf000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643740 Sample: jkse.arm5.elf Startdate: 20/03/2025 Architecture: LINUX Score: 48 11 196.251.81.246, 2223, 38874 SONIC-WirelessZA Seychelles 2->11 13 109.202.202.202, 80 INIT7CH Switzerland 2->13 15 2 other IPs or domains 2->15 17 Multi AV Scanner detection for submitted file 2->17 7 jkse.arm5.elf 2->7         started        signatures3 process4 process5 9 jkse.arm5.elf 7->9         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
jkse.arm5.elf28%VirustotalBrowse
jkse.arm5.elf31%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
196.251.81.246
unknownSeychelles
37417SONIC-WirelessZAfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
196.251.81.246jkse.mpsl.elfGet hashmaliciousUnknownBrowse
    jkse.arm.elfGet hashmaliciousUnknownBrowse
      jkse.ppc.elfGet hashmaliciousUnknownBrowse
        jkse.mips.elfGet hashmaliciousUnknownBrowse
          jkse.x86.elfGet hashmaliciousUnknownBrowse
            hgfs.mips.elfGet hashmaliciousUnknownBrowse
              hgfs.arm5.elfGet hashmaliciousUnknownBrowse
                hgfs.mpsl.elfGet hashmaliciousUnknownBrowse
                  hgfs.x86.elfGet hashmaliciousUnknownBrowse
                    hgfs.arm.elfGet hashmaliciousUnknownBrowse
                      91.189.91.43na.elfGet hashmaliciousPrometeiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          jkse.mpsl.elfGet hashmaliciousUnknownBrowse
                            jkse.arm.elfGet hashmaliciousUnknownBrowse
                              na.elfGet hashmaliciousPrometeiBrowse
                                jkse.ppc.elfGet hashmaliciousUnknownBrowse
                                  jkse.mips.elfGet hashmaliciousUnknownBrowse
                                    na.elfGet hashmaliciousPrometeiBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SONIC-WirelessZAjkse.mpsl.elfGet hashmaliciousUnknownBrowse
                                          • 196.251.81.246
                                          jkse.arm.elfGet hashmaliciousUnknownBrowse
                                          • 196.251.81.246
                                          jkse.ppc.elfGet hashmaliciousUnknownBrowse
                                          • 196.251.81.246
                                          jkse.mips.elfGet hashmaliciousUnknownBrowse
                                          • 196.251.81.246
                                          jkse.x86.elfGet hashmaliciousUnknownBrowse
                                          • 196.251.81.246
                                          http://xbyvrqtn.top/usGet hashmaliciousUnknownBrowse
                                          • 196.251.84.181
                                          http://xbyvrqtn.top/usGet hashmaliciousUnknownBrowse
                                          • 196.251.84.181
                                          http://xbyvrqtn.top/usGet hashmaliciousUnknownBrowse
                                          • 196.251.84.181
                                          https://www.google.com/url?hl=en&q=https://cdn.ampproject.org/c/s/jegv1ldtjh.a%25c2%25ade%25c2%25Adk%25C2%25Adl%25C2%25Adr%25c2%25adi%25C2%25ADn%25C2%25ADz%25C2%25adq%25c2%25adj%25C2%25Adq%25C2%25aDi%25C2%25aDb%25c2%25ADq%25C2%25Ado%25c2%25aDka.t%25e2%2580%258bop%25E2%2580%258b%25E2%2580%258B%25e2%2580%258b%25e2%2580%258B%25e2%2580%258b%25E2%2580%258B/amMgVuH15&source=gmail&ust=1742410052450000&usg=AOvVaw0GK2SUuLEby7u5w5ZWxyMh&YTdPAksnR=xagYpqPznMYk&YyfzgJrJvRpTM=RTPnZXNAiOh&PLnshNZqnl=baausDsxgpv&qJduqCVMbFdQx=BbatOoTYZZuQ&RPUUNGyEOz=qTJWgcVCEJaNbm&ufWjhADKw=eBZhUsnl&KLBhhhQa=mrGnAJdvrbof&wcUBdTuxBkmso=EkffKbil&KsqXNiBqxanKX=MtCvZcliGnM&tTjHekJYXkvvP=jTYAKbfGOAO&IWIyeMJGRCyRL=koUYltfPVrTyWqD&lbZtBn=HkHQOrPNB&cHoeySn=UAAUckZtc&ApNBSf=https://HyJrMaYnoQ&BLwCqS=uyynTqnODJSU&ecDECnehYNZRJ=LGmwkowGuNaBZ&uFYXyk=pjWCPZkOEWah&dzrPNTsALF=aShddbXpJvuB&ZCSedalrUK=amMxQTfdevAy&YOklOPCHPuxh=ArBOEbAAGCL&jgyuaVdbuP=GZTylTEAvWpIU&gaJMaMAxBAvd=EQkoxvGGFp&bbsHeAsTzlJ=WbDBQqwWuGet hashmaliciousUnknownBrowse
                                          • 196.251.87.145
                                          https://www.google.com/url?hl=en&q=https://cdn.ampproject.org/c/s/jeo2bu4xli.n%25c2%25Adz%25c2%25Adg%25c2%25adc%25c2%25Adr%25c2%25adf%25c2%25ADh%25C2%25Adl%25C2%25Adt%25c2%25aDa%25c2%25aDd%25c2%25aDi%25C2%25ADo%25c2%25Adw%25C2%25Adw%25C2%25addn.t%25e2%2580%258Bop%25e2%2580%258B%25E2%2580%258B%25E2%2580%258B%25E2%2580%258B%25e2%2580%258B%25E2%2580%258B%25e2%2580%258B/bwPHDPEJd&source=gmail&ust=1742413495673000&usg=AOvVaw39FbuU5xpVacJWgJQtP58b&FtlJrYdzNAhN=uknHniJ&PmCXQdns=MzApfXsDDjKokpX&WJEATipbJJkHU=wBUHmYvZBSY&MvuBQRjKnyOdG=NmBhucjwiXGhHJ&HsgJXV=vUQVLxQuP&OoHkHEYkrde=BYDXDOUHGOJFuLX&BXmGKopH=kGhpVZI&dWIzLIFvfOYsb=SRJFeyfVS&jv=PYRYelozPw&ltqhxtYX=pZOJEBKVd&SozPniSkWA=oVsZYnlxgai&ZNgdDeJB=aQDOTycq&aJQRplgTpnZSq=bTqFbYiklKcoMOv&MDXkizPwGl=https://HGDYSHGYmzPafU&zIgpqQRkTfM=MOrpRmhzLs&HJIaiQDe=jmQYqbe&cSoMIS=IekAbLKFqgNOxBi&JiDUNutRC=AHOKRzrWU&ZeaHXQPofWpSm=teYFaSKd&TToGkcLeeK=JkUmUxP&jwBftbrKOo=NdxcUwSLkn&uDUWxpwv=gakyAdL&xLcrMT=yBIWjELAduPSwGet hashmaliciousUnknownBrowse
                                          • 196.251.87.145
                                          CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          jkse.mpsl.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          jkse.arm.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          jkse.ppc.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          jkse.mips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          jkse.mpsl.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          jkse.arm.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          jkse.ppc.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          jkse.mips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          INIT7CHna.elfGet hashmaliciousPrometeiBrowse
                                          • 109.202.202.202
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 109.202.202.202
                                          jkse.mpsl.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          jkse.arm.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 109.202.202.202
                                          jkse.ppc.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          jkse.mips.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 109.202.202.202
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 109.202.202.202
                                          na.elfGet hashmaliciousPrometeiBrowse
                                          • 109.202.202.202

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                                          Entropy (8bit):5.805624019967264
                                          TrID:
                                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                          File name:jkse.arm5.elf
                                          File size:18'720 bytes
                                          MD5:e85e6efb85a2a838580af15d28a91db0
                                          SHA1:084b7882195509869ebbe8707f3d521be70fe208
                                          SHA256:bf8679cbc66ba4ea7b71fac9d2510a2fa8679663f7aa4b1a98099fd11f52147f
                                          SHA512:d5dd2c1fda3f0489074819c719fc74add9ca8176f2f0255b0da96599644598115b1c762574428993f3e838c953171b28c8112bfab1d3d96685f637c23adcb290
                                          SSDEEP:384:k9mF40XpdypRtvZY9K/R3dj6bT6b8Z69KlouFB1/WFktxFx4eHS:k8FddypRt+E/v+uJs1/WFk4
                                          TLSH:3482C4D9B952DA02C9C50237BA0E468E7A25575CF2CE3303AF273F517A8A9270A7E115
                                          File Content Preview:.ELF...a..........(.........4....G......4. ...(.....................TE..TE..............XE..XE..XE..................Q.td..................................-...L."...............0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                                          Static ELF Info

                                          ELF header

                                          Class:ELF32
                                          Data:2's complement, little endian
                                          Version:1 (current)
                                          Machine:ARM
                                          Version Number:0x1
                                          Type:EXEC (Executable file)
                                          OS/ABI:ARM - ABI
                                          ABI Version:0
                                          Entry Point Address:0x8190
                                          Flags:0x2
                                          ELF Header Size:52
                                          Program Header Offset:52
                                          Program Header Size:32
                                          Number of Program Headers:3
                                          Section Header Offset:18320
                                          Section Header Size:40
                                          Number of Section Headers:10
                                          Header String Table Index:9

                                          Sections

                                          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                          NULL0x00x00x00x00x0000
                                          .initPROGBITS0x80940x940x180x00x6AX004
                                          .textPROGBITS0x80b00xb00x3ee80x00x6AX0016
                                          .finiPROGBITS0xbf980x3f980x140x00x6AX004
                                          .rodataPROGBITS0xbfac0x3fac0x5a80x00x2A004
                                          .ctorsPROGBITS0x145580x45580x80x00x3WA004
                                          .dtorsPROGBITS0x145600x45600x80x00x3WA004
                                          .dataPROGBITS0x1456c0x456c0x1e40x00x3WA004
                                          .bssNOBITS0x147500x47500xd5180x00x3WA004
                                          .shstrtabSTRTAB0x00x47500x3e0x00x0001

                                          Program Segments

                                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                          LOAD0x00x80000x80000x45540x45545.87730x5R E0x8000.init .text .fini .rodata
                                          LOAD0x45580x145580x145580x1f80xd7103.04900x6RW 0x8000.ctors .dtors .data .bss
                                          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                          Network Behavior

                                          Download Network PCAP: filteredfull

                                          Network Port Distribution

                                          • Total Packets: 12
                                          • 2223 undefined
                                          • 443 (HTTPS)
                                          • 80 (HTTP)
                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 20, 2025 03:48:00.360769987 CET388742223192.168.2.23196.251.81.246
                                          Mar 20, 2025 03:48:00.533108950 CET222338874196.251.81.246192.168.2.23
                                          Mar 20, 2025 03:48:00.533282995 CET388742223192.168.2.23196.251.81.246
                                          Mar 20, 2025 03:48:00.534337044 CET388742223192.168.2.23196.251.81.246
                                          Mar 20, 2025 03:48:00.581521034 CET43928443192.168.2.2391.189.91.42
                                          Mar 20, 2025 03:48:00.704618931 CET222338874196.251.81.246192.168.2.23
                                          Mar 20, 2025 03:48:00.704713106 CET388742223192.168.2.23196.251.81.246
                                          Mar 20, 2025 03:48:00.877177000 CET222338874196.251.81.246192.168.2.23
                                          Mar 20, 2025 03:48:06.212795019 CET42836443192.168.2.2391.189.91.43
                                          Mar 20, 2025 03:48:07.492687941 CET4251680192.168.2.23109.202.202.202
                                          Mar 20, 2025 03:48:21.570725918 CET43928443192.168.2.2391.189.91.42
                                          Mar 20, 2025 03:48:31.809348106 CET42836443192.168.2.2391.189.91.43
                                          Mar 20, 2025 03:48:37.952673912 CET4251680192.168.2.23109.202.202.202
                                          Mar 20, 2025 03:49:02.525502920 CET43928443192.168.2.2391.189.91.42
                                          Mar 20, 2025 03:49:23.002413988 CET42836443192.168.2.2391.189.91.43

                                          System Behavior

                                          General

                                          Start time (UTC):02:47:59
                                          Start date (UTC):20/03/2025
                                          Path:/tmp/jkse.arm5.elf
                                          Arguments:/tmp/jkse.arm5.elf
                                          File size:4956856 bytes
                                          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                          File Activities

                                          Process Activities

                                          System Activities


                                          General

                                          Start time (UTC):02:47:59
                                          Start date (UTC):20/03/2025
                                          Path:/tmp/jkse.arm5.elf
                                          Arguments:-
                                          File size:4956856 bytes
                                          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                          Process Activities

                                          Network Activities