Edit tour

Linux Analysis Report
gigab.m68.elf

Overview

General Information

Sample name:gigab.m68.elf
Analysis ID:1643934
MD5:80171a7d7585fc2346094a65c453d8e0
SHA1:ef8fa01a2140cb607863f21600a4d871fa059f29
SHA256:03e88afbfadbcf73c1dbbb57e73df05620ae1e633b162ea4e120c66b9a347426
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Detected TCP or UDP traffic on non-standard ports
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1643934
Start date and time:2025-03-20 09:24:32 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gigab.m68.elf
Detection:MAL
Classification:mal52.spre.linELF@0/1@2/0
Command:/tmp/gigab.m68.elf
PID:5492
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • gigab.m68.elf (PID: 5492, Parent: 5404, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/gigab.m68.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: gigab.m68.elfReversingLabs: Detection: 33%

Spreading

barindex
Source: /tmp/gigab.m68.elf (PID: 5492)Opens: /proc/net/routeJump to behavior
Source: global trafficTCP traffic: 192.168.2.14:48988 -> 37.44.238.66:666
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal52.spre.linELF@0/1@2/0
Source: /tmp/gigab.m68.elf (PID: 5492)Queries kernel information via 'uname': Jump to behavior
Source: gigab.m68.elf, 5492.1.000055f4cbadf000.000055f4cbb43000.rw-.sdmp, gigab.m68.elf, 5494.1.000055f4cbadf000.000055f4cbb43000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/m68k
Source: gigab.m68.elf, 5492.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmp, gigab.m68.elf, 5494.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmpBinary or memory string: bx86_64/usr/bin/qemu-m68k/tmp/gigab.m68.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gigab.m68.elf
Source: gigab.m68.elf, 5492.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmp, gigab.m68.elf, 5494.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmpBinary or memory string: /usr/bin/qemu-m68k
Source: gigab.m68.elf, 5492.1.000055f4cbadf000.000055f4cbb43000.rw-.sdmp, gigab.m68.elf, 5494.1.000055f4cbadf000.000055f4cbb43000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/m68k
Source: gigab.m68.elf, 5492.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.wPFlKr\
Source: gigab.m68.elf, 5492.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmpBinary or memory string: /tmp/qemu-open.wPFlKr
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Remote System Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643934 Sample: gigab.m68.elf Startdate: 20/03/2025 Architecture: LINUX Score: 52 15 37.44.238.66, 48988, 666 HARMONYHOSTING-ASFR France 2->15 17 daisy.ubuntu.com 2->17 19 Multi AV Scanner detection for submitted file 2->19 8 gigab.m68.elf 2->8         started        signatures3 process4 signatures5 21 Opens /proc/net/* files useful for finding connected devices and routers 8->21 11 gigab.m68.elf 8->11         started        process6 process7 13 gigab.m68.elf 11->13         started       
SourceDetectionScannerLabelLink
gigab.m68.elf33%ReversingLabsLinux.Backdoor.Bashlite
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    37.44.238.66
    unknownFrance
    49434HARMONYHOSTING-ASFRfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    37.44.238.66gigab.arm5.elfGet hashmaliciousUnknownBrowse
      gigab.mips.elfGet hashmaliciousUnknownBrowse
        gigab.mips.elfGet hashmaliciousGafgytBrowse
          gigab.spc.elfGet hashmaliciousGafgytBrowse
            gigab.arm5.elfGet hashmaliciousGafgytBrowse
              gigab.arm4.elfGet hashmaliciousGafgytBrowse
                gigab.x86.elfGet hashmaliciousGafgytBrowse
                  gigab.ppc.elfGet hashmaliciousGafgytBrowse
                    gigab.sh4.elfGet hashmaliciousGafgytBrowse
                      gigab.arm4t.elfGet hashmaliciousGafgytBrowse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comresgod.x86.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        sshd.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        resgod.arm5.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        resgod.arm6.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        resgod.arm7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.ppc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arm6.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HARMONYHOSTING-ASFRspim.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.92
                        686i.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.88
                        gigab.arm5.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.mips.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        l7vmra.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.92
                        gigab.mips.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.spc.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.arm5.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.arm4.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.x86.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        No context
                        No context
                        Process:/tmp/gigab.m68.elf
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):230
                        Entropy (8bit):3.709552666863289
                        Encrypted:false
                        SSDEEP:6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
                        MD5:2E667F43AE18CD1FE3C108641708A82C
                        SHA1:12B90DE2DA0FBCFE66F3D6130905E56C8D6A68D3
                        SHA-256:6F721492E7A337C5B498A8F55F5EB7AC745AFF716D0B5B08EFF2C1B6B250F983
                        SHA-512:D2A0EE2509154EC1098994F38BE172F98F4150399C534A04D5C675D7C05630802225019F19344CC9070C576BC465A4FEB382AC7712DE6BF25E9244B54A9DB830
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:Iface.Destination.Gateway .Flags.RefCnt.Use.Metric.Mask..MTU.Window.IRTT .ens160.00000000.c0a80201.0003.0.0.0.00000000.0.0.0.ens160.c0a80200.00000000.0001.0.0.0.ffffff00.0.0.0.
                        File type:ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
                        Entropy (8bit):5.965284598357579
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:gigab.m68.elf
                        File size:92'407 bytes
                        MD5:80171a7d7585fc2346094a65c453d8e0
                        SHA1:ef8fa01a2140cb607863f21600a4d871fa059f29
                        SHA256:03e88afbfadbcf73c1dbbb57e73df05620ae1e633b162ea4e120c66b9a347426
                        SHA512:63bb00bd8091590e4e44cb8ad3bacd1d184ecde324c03389e7a9b2581c5441b97202831fb4aeb8686eef217dcf6c7583bb5eb44a3d42b3d5bc99a579d7c90608
                        SSDEEP:1536:9t+8nq4xvCQeqacWucW0JcWcBYV3NziLyPbFymFeu8icaqUUfp8v3He:/qWvCQeqacWucW0JcWcBk3NuMxhRDrMZ
                        TLSH:8193F997F911EEB6F40AE737089389147270FAB10F521A3263537BABED391D41867E42
                        File Content Preview:.ELF.......................D...4..]t.....4. ...(......................N...N....... .......N...n...n.......i....... .dt.Q............................NV..a....da...4.N^NuNV..J9..p.f>"y..n$ QJ.g.X.#...n$N."y..n$ QJ.f.A.....J.g.Hy..n.N.X.......p.N^NuNV..N^NuN

                        Download Network PCAP: filteredfull

                        • Total Packets: 11
                        • 666 undefined
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 20, 2025 09:25:18.527510881 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:25:18.692888975 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:25:18.692961931 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:25:18.694787979 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:25:18.859920979 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:26:12.095638037 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:26:12.095871925 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:26:12.266716003 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:26:12.266843081 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:27:12.102842093 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:27:12.103051901 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:27:12.271855116 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:27:12.271961927 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:28:12.112114906 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:28:12.112389088 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:28:12.281599998 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:28:12.281769991 CET48988666192.168.2.1437.44.238.66
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 20, 2025 09:28:01.266334057 CET4010653192.168.2.141.1.1.1
                        Mar 20, 2025 09:28:01.266470909 CET5241553192.168.2.141.1.1.1
                        Mar 20, 2025 09:28:01.365026951 CET53524151.1.1.1192.168.2.14
                        Mar 20, 2025 09:28:01.365853071 CET53401061.1.1.1192.168.2.14
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 20, 2025 09:28:01.266334057 CET192.168.2.141.1.1.10xf0e7Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 20, 2025 09:28:01.266470909 CET192.168.2.141.1.1.10x8449Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 20, 2025 09:28:01.365853071 CET1.1.1.1192.168.2.140xf0e7No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Mar 20, 2025 09:28:01.365853071 CET1.1.1.1192.168.2.140xf0e7No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        Start time (UTC):08:25:17
                        Start date (UTC):20/03/2025
                        Path:/tmp/gigab.m68.elf
                        Arguments:/tmp/gigab.m68.elf
                        File size:4463432 bytes
                        MD5 hash:cd177594338c77b895ae27c33f8f86cc

                        Start time (UTC):08:25:17
                        Start date (UTC):20/03/2025
                        Path:/tmp/gigab.m68.elf
                        Arguments:-
                        File size:4463432 bytes
                        MD5 hash:cd177594338c77b895ae27c33f8f86cc

                        Start time (UTC):08:25:17
                        Start date (UTC):20/03/2025
                        Path:/tmp/gigab.m68.elf
                        Arguments:-
                        File size:4463432 bytes
                        MD5 hash:cd177594338c77b895ae27c33f8f86cc