Edit tour

Linux Analysis Report
45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf

Overview

General Information

Sample name:45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf
Analysis ID:1644130
MD5:3eed12f410d1341cf697dd99fe121764
SHA1:bda37c82a35b6fad4deb00972fa7bb491163eaef
SHA256:c42d26bc01b583e08483a68dce4659c4a2696574cda4da2616eae84a7ae9dc2d
Tags:elfuser-threatquery
Infos:

Detection

Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644130
Start date and time:2025-03-20 11:48:30 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@2/0
Command:/tmp/45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf
PID:5432
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
45.126.126.33-sora.sh4-2025-03-12T01_48_23.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    45.126.126.33-sora.sh4-2025-03-12T01_48_23.elfJoeSecurity_Mirai_5Yara detected MiraiJoe Security
      45.126.126.33-sora.sh4-2025-03-12T01_48_23.elfMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
      • 0xe4e4:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
      SourceRuleDescriptionAuthorStrings
      5432.1.00007f0ec4400000.00007f0ec4410000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
        5432.1.00007f0ec4400000.00007f0ec4410000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
          5432.1.00007f0ec4400000.00007f0ec4410000.r-x.sdmpMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
          • 0xe4e4:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
          Process Memory Space: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf PID: 5432JoeSecurity_Mirai_9Yara detected MiraiJoe Security
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elfAvira: detected
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elfVirustotal: Detection: 65%Perma Link
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elfReversingLabs: Detection: 72%
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com

            System Summary

            barindex
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf, type: SAMPLEMatched rule: Detects ELF malware Mirai related Author: Florian Roth
            Source: 5432.1.00007f0ec4400000.00007f0ec4410000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf, type: SAMPLEMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
            Source: 5432.1.00007f0ec4400000.00007f0ec4410000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
            Source: classification engineClassification label: mal80.troj.linELF@0/0@2/0
            Source: /tmp/45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf (PID: 5432)Queries kernel information via 'uname': Jump to behavior
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf, 5432.1.00007ffc193f9000.00007ffc1941a000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/45.126.126.33-sora.sh4-2025-03-12T01_48_23.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf, 5432.1.00007ffc193f9000.00007ffc1941a000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf, 5432.1.0000561d9aaf4000.0000561d9ab57000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf, 5432.1.00007ffc193f9000.00007ffc1941a000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
            Source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf, 5432.1.0000561d9aaf4000.0000561d9ab57000.rw-.sdmpBinary or memory string: V5!/etc/qemu-binfmt/sh4

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf, type: SAMPLE
            Source: Yara matchFile source: 5432.1.00007f0ec4400000.00007f0ec4410000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf PID: 5432, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf, type: SAMPLE
            Source: Yara matchFile source: 5432.1.00007f0ec4400000.00007f0ec4410000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf PID: 5432, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
            Security Software Discovery
            Remote ServicesData from Local System1
            Non-Application Layer Protocol
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            No configs have been found
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644130 Sample: 45.126.126.33-sora.sh4-2025... Startdate: 20/03/2025 Architecture: LINUX Score: 80 8 daisy.ubuntu.com 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected Mirai 2->16 6 45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf 2->6         started        signatures3 process4
            SourceDetectionScannerLabelLink
            45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf66%VirustotalBrowse
            45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf72%ReversingLabsLinux.Trojan.Mirai
            45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf100%AviraLINUX/Mirai.bonb
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            162.213.35.25
            truefalse
              high
              No contacted IP infos
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              daisy.ubuntu.comgigab.sh4.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.25
              mpsl.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.24
              arm7.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.24
              arm5.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.24
              sh4.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.25
              arm.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.25
              aarch64.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.24
              ppc.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.25
              mips.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.24
              arm6.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.24
              No context
              No context
              No context
              No created / dropped files found
              File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
              Entropy (8bit):6.785004383271391
              TrID:
              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
              File name:45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf
              File size:63'772 bytes
              MD5:3eed12f410d1341cf697dd99fe121764
              SHA1:bda37c82a35b6fad4deb00972fa7bb491163eaef
              SHA256:c42d26bc01b583e08483a68dce4659c4a2696574cda4da2616eae84a7ae9dc2d
              SHA512:fbb98b7541f4db408e214fff7fabeb16573c1b700a23811191ce696505e1dc9d6d3d8e1d955d0f17a2364709afd62ad9cbf78ccd0c4cee2797b76b006686326c
              SSDEEP:1536:PaAtVnz1/mUUNztiYmW6ihiYLTofs3wfpWIDNEJ7JC7:P/tVz1eUUfwN0T0f+whWONEJ7J
              TLSH:5F539FA5C5ACAE58C71441B8B654CD388723F408A5A76EFBD646C796800BEFCF0187F1
              File Content Preview:.ELF..............*.......@.4...........4. ...(...............@...@.$...$...............(...(.A.(.A.$...............Q.td............................././"O.n........#.*@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

              ELF header

              Class:ELF32
              Data:2's complement, little endian
              Version:1 (current)
              Machine:<unknown>
              Version Number:0x1
              Type:EXEC (Executable file)
              OS/ABI:UNIX - System V
              ABI Version:0
              Entry Point Address:0x4001a0
              Flags:0x9
              ELF Header Size:52
              Program Header Offset:52
              Program Header Size:32
              Number of Program Headers:3
              Section Header Offset:63372
              Section Header Size:40
              Number of Section Headers:10
              Header String Table Index:9
              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
              NULL0x00x00x00x00x0000
              .initPROGBITS0x4000940x940x300x00x6AX004
              .textPROGBITS0x4000e00xe00xe3e00x00x6AX0032
              .finiPROGBITS0x40e4c00xe4c00x240x00x6AX004
              .rodataPROGBITS0x40e4e40xe4e40x10400x00x2A004
              .ctorsPROGBITS0x41f5280xf5280x80x00x3WA004
              .dtorsPROGBITS0x41f5300xf5300x80x00x3WA004
              .dataPROGBITS0x41f53c0xf53c0x2100x00x3WA004
              .bssNOBITS0x41f74c0xf74c0x2800x00x3WA004
              .shstrtabSTRTAB0x00xf74c0x3e0x00x0001
              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
              LOAD0x00x4000000x4000000xf5240xf5246.82040x5R E0x10000.init .text .fini .rodata
              LOAD0xf5280x41f5280x41f5280x2240x4a42.99970x6RW 0x10000.ctors .dtors .data .bss
              GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

              Download Network PCAP: filteredfull

              TimestampSource PortDest PortSource IPDest IP
              Mar 20, 2025 11:49:20.264029026 CET5087453192.168.2.138.8.8.8
              Mar 20, 2025 11:49:20.264029026 CET5872153192.168.2.138.8.8.8
              Mar 20, 2025 11:49:20.353982925 CET53587218.8.8.8192.168.2.13
              Mar 20, 2025 11:49:20.359669924 CET53508748.8.8.8192.168.2.13
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Mar 20, 2025 11:49:20.264029026 CET192.168.2.138.8.8.80x69e1Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
              Mar 20, 2025 11:49:20.264029026 CET192.168.2.138.8.8.80x11e5Standard query (0)daisy.ubuntu.com28IN (0x0001)false
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 20, 2025 11:49:20.359669924 CET8.8.8.8192.168.2.130x69e1No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
              Mar 20, 2025 11:49:20.359669924 CET8.8.8.8192.168.2.130x69e1No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

              System Behavior

              Start time (UTC):10:49:18
              Start date (UTC):20/03/2025
              Path:/tmp/45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf
              Arguments:/tmp/45.126.126.33-sora.sh4-2025-03-12T01_48_23.elf
              File size:4139976 bytes
              MD5 hash:8943e5f8f8c280467b4472c15ae93ba9