Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
gigab.m68.elf

Overview

General Information

Sample name:gigab.m68.elf
Analysis ID:1643934
MD5:80171a7d7585fc2346094a65c453d8e0
SHA1:ef8fa01a2140cb607863f21600a4d871fa059f29
SHA256:03e88afbfadbcf73c1dbbb57e73df05620ae1e633b162ea4e120c66b9a347426
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Detected TCP or UDP traffic on non-standard ports
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1643934
Start date and time:2025-03-20 09:24:32 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gigab.m68.elf
Detection:MAL
Classification:mal52.spre.linELF@0/1@2/0

Runtime Messages

Command:/tmp/gigab.m68.elf
PID:5492
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • gigab.m68.elf (PID: 5492, Parent: 5404, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/gigab.m68.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Spreading
  • Networking
  • System Summary
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: gigab.m68.elfReversingLabs: Detection: 33%

Spreading

barindex
Source: /tmp/gigab.m68.elf (PID: 5492)Opens: /proc/net/routeJump to behavior
Source: global trafficTCP traffic: 192.168.2.14:48988 -> 37.44.238.66:666
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal52.spre.linELF@0/1@2/0
Source: /tmp/gigab.m68.elf (PID: 5492)Queries kernel information via 'uname': Jump to behavior
Source: gigab.m68.elf, 5492.1.000055f4cbadf000.000055f4cbb43000.rw-.sdmp, gigab.m68.elf, 5494.1.000055f4cbadf000.000055f4cbb43000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/m68k
Source: gigab.m68.elf, 5492.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmp, gigab.m68.elf, 5494.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmpBinary or memory string: bx86_64/usr/bin/qemu-m68k/tmp/gigab.m68.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gigab.m68.elf
Source: gigab.m68.elf, 5492.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmp, gigab.m68.elf, 5494.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmpBinary or memory string: /usr/bin/qemu-m68k
Source: gigab.m68.elf, 5492.1.000055f4cbadf000.000055f4cbb43000.rw-.sdmp, gigab.m68.elf, 5494.1.000055f4cbadf000.000055f4cbb43000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/m68k
Source: gigab.m68.elf, 5492.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.wPFlKr\
Source: gigab.m68.elf, 5492.1.00007ffdaca84000.00007ffdacaa5000.rw-.sdmpBinary or memory string: /tmp/qemu-open.wPFlKr

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Remote System Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643934 Sample: gigab.m68.elf Startdate: 20/03/2025 Architecture: LINUX Score: 52 15 37.44.238.66, 48988, 666 HARMONYHOSTING-ASFR France 2->15 17 daisy.ubuntu.com 2->17 19 Multi AV Scanner detection for submitted file 2->19 8 gigab.m68.elf 2->8         started        signatures3 process4 signatures5 21 Opens /proc/net/* files useful for finding connected devices and routers 8->21 11 gigab.m68.elf 8->11         started        process6 process7 13 gigab.m68.elf 11->13         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
gigab.m68.elf33%ReversingLabsLinux.Backdoor.Bashlite

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    37.44.238.66
    		unknownFrance
    		49434HARMONYHOSTING-ASFRfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    37.44.238.66gigab.arm5.elfGet hashmaliciousUnknownBrowse
      gigab.mips.elfGet hashmaliciousUnknownBrowse
        gigab.mips.elfGet hashmaliciousGafgytBrowse
          gigab.spc.elfGet hashmaliciousGafgytBrowse
            gigab.arm5.elfGet hashmaliciousGafgytBrowse
              gigab.arm4.elfGet hashmaliciousGafgytBrowse
                gigab.x86.elfGet hashmaliciousGafgytBrowse
                  gigab.ppc.elfGet hashmaliciousGafgytBrowse
                    gigab.sh4.elfGet hashmaliciousGafgytBrowse
                      gigab.arm4t.elfGet hashmaliciousGafgytBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comresgod.x86.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        sshd.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        resgod.arm5.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        resgod.arm6.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        resgod.arm7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.ppc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arm6.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HARMONYHOSTING-ASFRspim.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.92
                        686i.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.88
                        gigab.arm5.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.mips.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        l7vmra.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.92
                        gigab.mips.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.spc.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.arm5.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.arm4.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66
                        gigab.x86.elfGet hashmaliciousGafgytBrowse
                        • 37.44.238.66

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        Process:/tmp/gigab.m68.elf
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):230
                        Entropy (8bit):3.709552666863289
                        Encrypted:false
                        SSDEEP:6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
                        MD5:2E667F43AE18CD1FE3C108641708A82C
                        SHA1:12B90DE2DA0FBCFE66F3D6130905E56C8D6A68D3
                        SHA-256:6F721492E7A337C5B498A8F55F5EB7AC745AFF716D0B5B08EFF2C1B6B250F983
                        SHA-512:D2A0EE2509154EC1098994F38BE172F98F4150399C534A04D5C675D7C05630802225019F19344CC9070C576BC465A4FEB382AC7712DE6BF25E9244B54A9DB830
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:Iface.Destination.Gateway .Flags.RefCnt.Use.Metric.Mask..MTU.Window.IRTT .ens160.00000000.c0a80201.0003.0.0.0.00000000.0.0.0.ens160.c0a80200.00000000.0001.0.0.0.ffffff00.0.0.0.

                        Static File Info

                        General

                        File type:ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, not stripped
                        Entropy (8bit):5.965284598357579
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:gigab.m68.elf
                        File size:92'407 bytes
                        MD5:80171a7d7585fc2346094a65c453d8e0
                        SHA1:ef8fa01a2140cb607863f21600a4d871fa059f29
                        SHA256:03e88afbfadbcf73c1dbbb57e73df05620ae1e633b162ea4e120c66b9a347426
                        SHA512:63bb00bd8091590e4e44cb8ad3bacd1d184ecde324c03389e7a9b2581c5441b97202831fb4aeb8686eef217dcf6c7583bb5eb44a3d42b3d5bc99a579d7c90608
                        SSDEEP:1536:9t+8nq4xvCQeqacWucW0JcWcBYV3NziLyPbFymFeu8icaqUUfp8v3He:/qWvCQeqacWucW0JcWcBk3NuMxhRDrMZ
                        TLSH:8193F997F911EEB6F40AE737089389147270FAB10F521A3263537BABED391D41867E42
                        File Content Preview:.ELF.......................D...4..]t.....4. ...(......................N...N....... .......N...n...n.......i....... .dt.Q............................NV..a....da...4.N^NuNV..J9..p.f>"y..n$ QJ.g.X.#...n$N."y..n$ QJ.f.A.....J.g.Hy..n.N.X.......p.N^NuNV..N^NuN

                        Network Behavior

                        Download Network PCAP: filteredfull

                        Network Port Distribution

                        • Total Packets: 11
                        • 666 undefined
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 20, 2025 09:25:18.527510881 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:25:18.692888975 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:25:18.692961931 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:25:18.694787979 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:25:18.859920979 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:26:12.095638037 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:26:12.095871925 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:26:12.266716003 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:26:12.266843081 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:27:12.102842093 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:27:12.103051901 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:27:12.271855116 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:27:12.271961927 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:28:12.112114906 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:28:12.112389088 CET48988666192.168.2.1437.44.238.66
                        Mar 20, 2025 09:28:12.281599998 CET6664898837.44.238.66192.168.2.14
                        Mar 20, 2025 09:28:12.281769991 CET48988666192.168.2.1437.44.238.66
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 20, 2025 09:28:01.266334057 CET4010653192.168.2.141.1.1.1
                        Mar 20, 2025 09:28:01.266470909 CET5241553192.168.2.141.1.1.1
                        Mar 20, 2025 09:28:01.365026951 CET53524151.1.1.1192.168.2.14
                        Mar 20, 2025 09:28:01.365853071 CET53401061.1.1.1192.168.2.14

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 20, 2025 09:28:01.266334057 CET192.168.2.141.1.1.10xf0e7Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 20, 2025 09:28:01.266470909 CET192.168.2.141.1.1.10x8449Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 20, 2025 09:28:01.365853071 CET1.1.1.1192.168.2.140xf0e7No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Mar 20, 2025 09:28:01.365853071 CET1.1.1.1192.168.2.140xf0e7No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):08:25:17
                        Start date (UTC):20/03/2025
                        Path:/tmp/gigab.m68.elf
                        Arguments:/tmp/gigab.m68.elf
                        File size:4463432 bytes
                        MD5 hash:cd177594338c77b895ae27c33f8f86cc

                        File Activities

                        Process Activities

                        System Activities

                        Network Activities


                        General

                        Start time (UTC):08:25:17
                        Start date (UTC):20/03/2025
                        Path:/tmp/gigab.m68.elf
                        Arguments:-
                        File size:4463432 bytes
                        MD5 hash:cd177594338c77b895ae27c33f8f86cc

                        Process Activities


                        General

                        Start time (UTC):08:25:17
                        Start date (UTC):20/03/2025
                        Path:/tmp/gigab.m68.elf
                        Arguments:-
                        File size:4463432 bytes
                        MD5 hash:cd177594338c77b895ae27c33f8f86cc

                        Process Activities

                        Network Activities