Edit tour

Linux Analysis Report
zte.elf

Overview

General Information

Sample name:zte.elf
Analysis ID:1644224
MD5:5a6586ca5b500f7349bda9990d1269e3
SHA1:50fa3af9f162d303b03e42f64198a54a5bedfe1b
SHA256:bee0cdda851c92304a31e6469a30cce4e632cbdd59c0b247ed7a6cf840040842
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644224
Start date and time:2025-03-20 13:14:35 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:zte.elf
Detection:MAL
Classification:mal48.linELF@0/0@2/0
Command:/tmp/zte.elf
PID:5492
Exit Code:133
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
  • system is lnxubuntu20
  • zte.elf (PID: 5492, Parent: 5415, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/zte.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zte.elfVirustotal: Detection: 29%Perma Link
Source: zte.elfReversingLabs: Detection: 25%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: LOAD without section mappingsProgram segment: 0x400000
Source: classification engineClassification label: mal48.linELF@0/0@2/0
Source: zte.elfSubmission file: segment LOAD with 7.9295 entropy (max. 8.0)
Source: /tmp/zte.elf (PID: 5492)Queries kernel information via 'uname': Jump to behavior
Source: zte.elf, 5492.1.00007ffdc49ac000.00007ffdc49cd000.rw-.sdmpBinary or memory string: X7x86_64/usr/bin/qemu-mips/tmp/zte.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zte.elf
Source: zte.elf, 5492.1.0000564a3ca56000.0000564a3cadd000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: zte.elf, 5492.1.00007ffdc49ac000.00007ffdc49cd000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: zte.elf, 5492.1.00007ffdc49ac000.00007ffdc49cd000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
Source: zte.elf, 5492.1.0000564a3ca56000.0000564a3cadd000.rw-.sdmpBinary or memory string: <JV!/etc/qemu-binfmt/mips
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644224 Sample: zte.elf Startdate: 20/03/2025 Architecture: LINUX Score: 48 8 daisy.ubuntu.com 2->8 10 Multi AV Scanner detection for submitted file 2->10 6 zte.elf 2->6         started        signatures3 process4
SourceDetectionScannerLabelLink
zte.elf30%VirustotalBrowse
zte.elf25%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    high
    No contacted IP infos
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.com.5r3fqt67ew531has4231.sh4.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
    • 162.213.35.24
    yakuza.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    yakuza.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    yakuza.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    yakuza.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    yakuza.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    yakuza.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    yakuza.x32.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    .5r3fqt67ew531has4231.arm6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    .5r3fqt67ew531has4231.arm.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    No context
    No context
    No context
    No created / dropped files found
    File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
    Entropy (8bit):7.926640370499526
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:zte.elf
    File size:39'160 bytes
    MD5:5a6586ca5b500f7349bda9990d1269e3
    SHA1:50fa3af9f162d303b03e42f64198a54a5bedfe1b
    SHA256:bee0cdda851c92304a31e6469a30cce4e632cbdd59c0b247ed7a6cf840040842
    SHA512:ab1c04602062a778889600bf97b653dbd2de6bf365f349876c8238d261d8cd5f149fc26612a3ce59d0c75142644e39c8442e88c5ae87dcda41005c88e6da0bf2
    SSDEEP:768:GQ03IJY9iPQHTOUa6ceP3x1zj8npx/tSjZ0Y40x/U6SPU07uJgGlzDpxYs3:hJY9iPQzOUa6ceP3x1zIpxF3ZyM6SPUN
    TLSH:B703E12C022650D3C429D5BC22ED135026BF4EE398ABCC0BB5717AE389951F51E27FCA
    File Content Preview:.ELF.....................@.H...4.........4. ...(.............@...@...........................A...A.........l.........t.LYTS...........{...{........U.......?.E.h4...@b..) ..]....E..CCe.......e..`..jj.. q.....e~vj2...DA..p..T...:..w.$...?...i....M..........

    ELF header

    Class:ELF32
    Data:2's complement, big endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x408448
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:2
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0
    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x97c60x97c67.92950x5R E0x10000
    LOAD0x00x4100000x4100000x00x4de6c0.00000x6RW 0x10000

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Mar 20, 2025 13:15:25.015266895 CET3542653192.168.2.141.1.1.1
    Mar 20, 2025 13:15:25.015317917 CET3876153192.168.2.141.1.1.1
    Mar 20, 2025 13:15:25.113573074 CET53387611.1.1.1192.168.2.14
    Mar 20, 2025 13:15:25.115053892 CET53354261.1.1.1192.168.2.14
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Mar 20, 2025 13:15:25.015266895 CET192.168.2.141.1.1.10x7116Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Mar 20, 2025 13:15:25.015317917 CET192.168.2.141.1.1.10x8a4cStandard query (0)daisy.ubuntu.com28IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 20, 2025 13:15:25.115053892 CET1.1.1.1192.168.2.140x7116No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
    Mar 20, 2025 13:15:25.115053892 CET1.1.1.1192.168.2.140x7116No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

    System Behavior

    Start time (UTC):12:15:22
    Start date (UTC):20/03/2025
    Path:/tmp/zte.elf
    Arguments:/tmp/zte.elf
    File size:5777432 bytes
    MD5 hash:0083f1f0e77be34ad27f849842bbb00c