Edit tour

Linux Analysis Report
gigab.i686.elf

Overview

General Information

Sample name:gigab.i686.elf
Analysis ID:1643831
MD5:c1b336fecec48326beeb39edffbcf973
SHA1:51cab587c8e541fc8a1b49b0ab94b2e75b7460ee
SHA256:b8da6ab162d8415ed1b4654f71cb333d91236c4dfe5f65a6d6192de2d57917d7
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Executes the "rm" command used to delete files or directories
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1643831
Start date and time:2025-03-20 07:37:33 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 24s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gigab.i686.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0
Command:/tmp/gigab.i686.elf
PID:5473
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • dash New Fork (PID: 5537, Parent: 3635)
  • rm (PID: 5537, Parent: 3635, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.zgX6pUASmU /tmp/tmp.Xo3dZmrSLS /tmp/tmp.b15Bmvw870
  • dash New Fork (PID: 5538, Parent: 3635)
  • rm (PID: 5538, Parent: 3635, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.zgX6pUASmU /tmp/tmp.Xo3dZmrSLS /tmp/tmp.b15Bmvw870
  • cleanup
SourceRuleDescriptionAuthorStrings
gigab.i686.elfLinux_Trojan_Gafgyt_862c4e0eunknownunknown
  • 0x1427:$a: 02 89 45 F8 8B 45 F8 C1 E8 10 85 C0 75 E6 8B 45 F8 F7 D0 0F
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknownTCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknownTCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 43390
Source: unknownNetwork traffic detected: HTTP traffic on port 43390 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42468 -> 443

System Summary

barindex
Source: gigab.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_862c4e0e Author: unknown
Source: gigab.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_862c4e0e reference_sample = 9526277255a8d632355bfe54d53154c9c54a4ab75e3ba24333c73ad0ed7cadb1, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 2a6b4f8d8fb4703ed26bdcfbbb5c539dc451c8b90649bee80015c164eae4c281, id = 862c4e0e-83a4-458b-8c00-f2f3cf0bf9db, last_modified = 2021-09-16
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /usr/bin/dash (PID: 5537)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.zgX6pUASmU /tmp/tmp.Xo3dZmrSLS /tmp/tmp.b15Bmvw870Jump to behavior
Source: /usr/bin/dash (PID: 5538)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.zgX6pUASmU /tmp/tmp.Xo3dZmrSLS /tmp/tmp.b15Bmvw870Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643831 Sample: gigab.i686.elf Startdate: 20/03/2025 Architecture: LINUX Score: 48 10 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->10 12 34.243.160.129, 443 AMAZON-02US United States 2->12 14 54.247.62.1, 43390, 443 AMAZON-02US United States 2->14 16 Malicious sample detected (through community Yara rule) 2->16 6 dash rm 2->6         started        8 dash rm 2->8         started        signatures3 process4
SourceDetectionScannerLabelLink
gigab.i686.elf6%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
185.125.190.26
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
34.243.160.129
unknownUnited States
16509AMAZON-02USfalse
54.247.62.1
unknownUnited States
16509AMAZON-02USfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
185.125.190.26na.elfGet hashmaliciousPrometeiBrowse
    .i.elfGet hashmaliciousUnknownBrowse
      jkse.arm6.elfGet hashmaliciousUnknownBrowse
        nklarm6.elfGet hashmaliciousUnknownBrowse
          na.elfGet hashmaliciousPrometeiBrowse
            na.elfGet hashmaliciousPrometeiBrowse
              na.elfGet hashmaliciousPrometeiBrowse
                sync.mipsel.elfGet hashmaliciousUnknownBrowse
                  na.elfGet hashmaliciousPrometeiBrowse
                    arm6.elfGet hashmaliciousUnknownBrowse
                      34.243.160.129na.elfGet hashmaliciousPrometeiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            hide.spc.elfGet hashmaliciousUnknownBrowse
                              na.elfGet hashmaliciousPrometeiBrowse
                                arm7.nn.elfGet hashmaliciousMiraiBrowse
                                  m-p.s-l.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                      zbotx86.elfGet hashmaliciousTsunamiBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          54.247.62.1jkse.arm7.elfGet hashmaliciousMiraiBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                apep.arm.elfGet hashmaliciousUnknownBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    rrrdsl.elfGet hashmaliciousUnknownBrowse
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                        powerpc.nn.elfGet hashmaliciousMiraiBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            m68k.elfGet hashmaliciousUnknownBrowse
                                                              No context
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              AMAZON-02USsshd.elfGet hashmaliciousUnknownBrowse
                                                              • 34.249.145.219
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 34.249.145.219
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 34.243.160.129
                                                              FG_ShippingNotice_20250310_XDGF.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.169.48
                                                              miner.elfGet hashmaliciousUnknownBrowse
                                                              • 34.249.145.219
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 34.249.145.219
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 54.171.230.55
                                                              https://ezproxy.lakeheadu.ca/login?url=https://gamma.app/docs/Incoming-PDF-Document-wpeaqji1jmv0zug?mode=present#card-f9lsd6ekhyr749bGet hashmaliciousUnknownBrowse
                                                              • 108.139.47.21
                                                              Chevron Request details folder.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.169.48
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 34.249.145.219
                                                              AMAZON-02USsshd.elfGet hashmaliciousUnknownBrowse
                                                              • 34.249.145.219
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 34.249.145.219
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 34.243.160.129
                                                              FG_ShippingNotice_20250310_XDGF.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.169.48
                                                              miner.elfGet hashmaliciousUnknownBrowse
                                                              • 34.249.145.219
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 34.249.145.219
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 54.171.230.55
                                                              https://ezproxy.lakeheadu.ca/login?url=https://gamma.app/docs/Incoming-PDF-Document-wpeaqji1jmv0zug?mode=present#card-f9lsd6ekhyr749bGet hashmaliciousUnknownBrowse
                                                              • 108.139.47.21
                                                              Chevron Request details folder.exeGet hashmaliciousFormBookBrowse
                                                              • 13.248.169.48
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 34.249.145.219
                                                              CANONICAL-ASGBminer.elfGet hashmaliciousUnknownBrowse
                                                              • 91.189.91.42
                                                              sshd.elfGet hashmaliciousUnknownBrowse
                                                              • 91.189.91.42
                                                              miner.elfGet hashmaliciousUnknownBrowse
                                                              • 91.189.91.42
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 91.189.91.42
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 185.125.190.26
                                                              miner.elfGet hashmaliciousUnknownBrowse
                                                              • 91.189.91.42
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 91.189.91.42
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 91.189.91.42
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 91.189.91.42
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 91.189.91.42
                                                              No context
                                                              No context
                                                              No created / dropped files found
                                                              File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, missing section headers at 68068
                                                              Entropy (8bit):5.758087959491267
                                                              TrID:
                                                              • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                              • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                              File name:gigab.i686.elf
                                                              File size:12'768 bytes
                                                              MD5:c1b336fecec48326beeb39edffbcf973
                                                              SHA1:51cab587c8e541fc8a1b49b0ab94b2e75b7460ee
                                                              SHA256:b8da6ab162d8415ed1b4654f71cb333d91236c4dfe5f65a6d6192de2d57917d7
                                                              SHA512:5f7ab3b5d5d3104114bf0fbfb87a720893f68bbfa316f7732e5ab5c1edcfe73717260a406c0dc4333abbd691a06cc944ea240344279c779524fddd23185c3c9c
                                                              SSDEEP:192:fu4TYHdvF4lEUEasyahIv6saBg3qfBf3Y1IlBgpsXFQT8R6wJdfkSV6CUjjGns29:fudi9D6Y6bBDfo1agpqWWfBV6uOR1s
                                                              TLSH:93425264F207C0F2E9052B73408FB1AF6221B32DD4767E9EEB5A1C10E736C91A59476B
                                                              File Content Preview:.ELF........................4...d.......4. ...(.....................t...t....................p...p.......y..............p...pv..pv..................Q.td............................U..S............h........[]...$.............U......=.x...t..1.....v......v.

                                                              Download Network PCAP: filteredfull

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 20, 2025 07:38:19.200400114 CET42468443192.168.2.1434.243.160.129
                                                              Mar 20, 2025 07:38:27.392128944 CET46540443192.168.2.14185.125.190.26
                                                              Mar 20, 2025 07:38:47.771946907 CET43390443192.168.2.1454.247.62.1
                                                              Mar 20, 2025 07:38:47.772041082 CET4434339054.247.62.1192.168.2.14
                                                              Mar 20, 2025 07:38:47.772182941 CET43390443192.168.2.1454.247.62.1
                                                              Mar 20, 2025 07:38:47.773673058 CET43390443192.168.2.1454.247.62.1
                                                              Mar 20, 2025 07:38:47.773706913 CET4434339054.247.62.1192.168.2.14
                                                              Mar 20, 2025 07:38:59.135325909 CET46540443192.168.2.14185.125.190.26
                                                              Mar 20, 2025 07:39:47.770894051 CET43390443192.168.2.1454.247.62.1
                                                              Mar 20, 2025 07:39:47.816337109 CET4434339054.247.62.1192.168.2.14
                                                              Mar 20, 2025 07:40:20.856375933 CET4434339054.247.62.1192.168.2.14

                                                              System Behavior

                                                              Start time (UTC):06:39:46
                                                              Start date (UTC):20/03/2025
                                                              Path:/usr/bin/dash
                                                              Arguments:-
                                                              File size:129816 bytes
                                                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                              Start time (UTC):06:39:46
                                                              Start date (UTC):20/03/2025
                                                              Path:/usr/bin/rm
                                                              Arguments:rm -f /tmp/tmp.zgX6pUASmU /tmp/tmp.Xo3dZmrSLS /tmp/tmp.b15Bmvw870
                                                              File size:72056 bytes
                                                              MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                              Start time (UTC):06:39:46
                                                              Start date (UTC):20/03/2025
                                                              Path:/usr/bin/dash
                                                              Arguments:-
                                                              File size:129816 bytes
                                                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                              Start time (UTC):06:39:46
                                                              Start date (UTC):20/03/2025
                                                              Path:/usr/bin/rm
                                                              Arguments:rm -f /tmp/tmp.zgX6pUASmU /tmp/tmp.Xo3dZmrSLS /tmp/tmp.b15Bmvw870
                                                              File size:72056 bytes
                                                              MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b