Linux
Analysis Report
686i.elf
Overview
General Information
Sample name: | 686i.elf |
Analysis ID: | 1644265 |
MD5: | 1563f8c6a0b944489c6c99624ea50067 |
SHA1: | 7e7b91e995a2ac9c7528d1507e1814b9ada6066e |
SHA256: | 1e414076b74be957f5d4e28f36c300654b741a27f44552f408b89f0f1de90ad2 |
Tags: | elfuser-abuse_ch |
Infos: | |
Errors
|
Detection
Score: | 48 |
Range: | 0 - 100 |
Signatures
Malicious sample detected (through community Yara rule)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match
Classification
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1644265 |
Start date and time: | 2025-03-20 13:56:02 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 33s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | 686i.elf |
Detection: | MAL |
Classification: | mal48.linELF@0/0@0/0 |
- No process behavior to analyse as no analysis process or sample was found
Command: | /tmp/686i.elf |
PID: | 6258 |
Exit Code: | 139 |
Exit Code Info: | SIGSEGV (11) Segmentation fault invalid memory reference |
Killed: | False |
Standard Output: | |
Standard Error: |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Linux_Trojan_Gafgyt_83715433 | unknown | unknown |
| |
Linux_Trojan_Tsunami_0fa3a6e9 | unknown | unknown |
|
⊘No Suricata rule has matched
- • Networking
- • System Summary
Click to jump to signature section
Show All Signature Results
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
⊘No configs have been found
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse | ||
8% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
109.202.202.202 | unknown | Switzerland | 13030 | INIT7CH | false | |
91.189.91.43 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
91.189.91.42 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
109.202.202.202 | Get hash | malicious | Unknown | Browse |
| |
91.189.91.43 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Gafgyt, Mirai, Moobot, Okiru | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
91.189.91.42 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Gafgyt, Mirai, Moobot, Okiru | Browse |
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CANONICAL-ASGB | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai, Moobot, Okiru | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
CANONICAL-ASGB | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai, Moobot, Okiru | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
INIT7CH | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai, Moobot, Okiru | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 6.287680385832658 |
TrID: |
|
File name: | 686i.elf |
File size: | 52'617 bytes |
MD5: | 1563f8c6a0b944489c6c99624ea50067 |
SHA1: | 7e7b91e995a2ac9c7528d1507e1814b9ada6066e |
SHA256: | 1e414076b74be957f5d4e28f36c300654b741a27f44552f408b89f0f1de90ad2 |
SHA512: | 85b07eaf9a0aa62a125c3e5be967fe2496cac91bcd46a3d899195799b11dca5e3531886af8b32d46cbcd5248ce22712b9833f881a0f142a4f3a3d6d239dad2e6 |
SSDEEP: | 1536:kFPlxndf22h/xxaH333j3kaN1W7N+YRApCMS:kFPlxndf22h/xwXnTkai7MYRApCD |
TLSH: | 07332C0BEA02D2F6EC4716B2516BE3BF933166399460CD5DEB942D28FB32AC0B511356 |
File Content Preview: | .ELF....................h...4....2......4. ...(......................!...!...............!..........|...`-..........Q.td............................U..S.......[1...h........[]...$.............U......=`....t..1....$......$.......u........t...$...........`. |
Download Network PCAP: filtered – full
- Total Packets: 8
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 20, 2025 13:56:54.747694016 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Mar 20, 2025 13:57:00.123054028 CET | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Mar 20, 2025 13:57:01.146795034 CET | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Mar 20, 2025 13:57:15.480952024 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Mar 20, 2025 13:57:25.719453096 CET | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Mar 20, 2025 13:57:31.862679958 CET | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Mar 20, 2025 13:57:56.435523033 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Mar 20, 2025 13:58:16.912615061 CET | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |