Edit tour

Linux Analysis Report
686i.elf

Overview

General Information

Sample name:686i.elf
Analysis ID:1644265
MD5:1563f8c6a0b944489c6c99624ea50067
SHA1:7e7b91e995a2ac9c7528d1507e1814b9ada6066e
SHA256:1e414076b74be957f5d4e28f36c300654b741a27f44552f408b89f0f1de90ad2
Tags:elfuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:48
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644265
Start date and time:2025-03-20 13:56:02 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:686i.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0
  • No process behavior to analyse as no analysis process or sample was found
Command:/tmp/686i.elf
PID:6258
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:
SourceRuleDescriptionAuthorStrings
686i.elfLinux_Trojan_Gafgyt_83715433unknownunknown
  • 0x17af:$a: 8B 45 08 88 10 FF 45 08 8B 45 08 0F B6 00 84 C0 75 DB C9 C3 55
686i.elfLinux_Trojan_Tsunami_0fa3a6e9unknownunknown
  • 0x2747:$a: EC 8B 55 EC C1 FA 10 0F B7 45 EC 01 C2 89 55 EC 8B 45 EC C1
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Source: 686i.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_83715433 Author: unknown
Source: 686i.elf, type: SAMPLEMatched rule: Linux_Trojan_Tsunami_0fa3a6e9 Author: unknown
Source: 686i.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_83715433 reference_sample = 3648a407224634d76e82eceec84250a7506720a7f43a6ccf5873f478408fedba, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 25ac15f4b903d9e28653dad0db399ebd20d4e9baabf5078fbc33d3cd838dd7e9, id = 83715433-3dff-4238-8cdb-c51279565e05, last_modified = 2021-09-16
Source: 686i.elf, type: SAMPLEMatched rule: Linux_Trojan_Tsunami_0fa3a6e9 reference_sample = 40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = fed796c5275e2e91c75dcdbf73d0c0ab37591115989312c6f6c5adcd138bc91f, id = 0fa3a6e9-89f3-4bc8-8dc1-e9ccbeeb836d, last_modified = 2021-09-16
Source: classification engineClassification label: mal48.linELF@0/0@0/0
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644265 Sample: 686i.elf Startdate: 20/03/2025 Architecture: LINUX Score: 48 6 109.202.202.202, 80 INIT7CH Switzerland 2->6 8 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->8 10 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->10 12 Malicious sample detected (through community Yara rule) 2->12 signatures3
SourceDetectionScannerLabelLink
686i.elf6%VirustotalBrowse
686i.elf8%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43Space.sh4.elfGet hashmaliciousUnknownBrowse
    Space.m68k.elfGet hashmaliciousMiraiBrowse
      smips.elfGet hashmaliciousUnknownBrowse
        psmpsl.elfGet hashmaliciousUnknownBrowse
          yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
            yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
              .5r3fqt67ew531has4231.m68k.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                .5r3fqt67ew531has4231.ppc.elfGet hashmaliciousUnknownBrowse
                  main_m68k.elfGet hashmaliciousMiraiBrowse
                    m68k.elfGet hashmaliciousUnknownBrowse
                      91.189.91.42Space.sh4.elfGet hashmaliciousUnknownBrowse
                        Space.m68k.elfGet hashmaliciousMiraiBrowse
                          mips.elfGet hashmaliciousUnknownBrowse
                            smips.elfGet hashmaliciousUnknownBrowse
                              psmpsl.elfGet hashmaliciousUnknownBrowse
                                yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    yakuza.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      .5r3fqt67ew531has4231.mpsl.elfGet hashmaliciousUnknownBrowse
                                        .5r3fqt67ew531has4231.m68k.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGBSpace.x86_64.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          sshd.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          Space.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          Space.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          smips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          psmpsl.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          .5r3fqt67ew531has4231.sh4.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                          • 185.125.190.26
                                          yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBSpace.x86_64.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          sshd.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          Space.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          Space.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          smips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          psmpsl.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          .5r3fqt67ew531has4231.sh4.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                          • 185.125.190.26
                                          yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          INIT7CHSpace.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          Space.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          mips.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          smips.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          psmpsl.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 109.202.202.202
                                          yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 109.202.202.202
                                          yakuza.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 109.202.202.202
                                          .5r3fqt67ew531has4231.mpsl.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          .5r3fqt67ew531has4231.m68k.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                          • 109.202.202.202
                                          No context
                                          No context
                                          No created / dropped files found
                                          File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, missing section headers at 79084
                                          Entropy (8bit):6.287680385832658
                                          TrID:
                                          • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                          • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                          File name:686i.elf
                                          File size:52'617 bytes
                                          MD5:1563f8c6a0b944489c6c99624ea50067
                                          SHA1:7e7b91e995a2ac9c7528d1507e1814b9ada6066e
                                          SHA256:1e414076b74be957f5d4e28f36c300654b741a27f44552f408b89f0f1de90ad2
                                          SHA512:85b07eaf9a0aa62a125c3e5be967fe2496cac91bcd46a3d899195799b11dca5e3531886af8b32d46cbcd5248ce22712b9833f881a0f142a4f3a3d6d239dad2e6
                                          SSDEEP:1536:kFPlxndf22h/xxaH333j3kaN1W7N+YRApCMS:kFPlxndf22h/xwXnTkai7MYRApCD
                                          TLSH:07332C0BEA02D2F6EC4716B2516BE3BF933166399460CD5DEB942D28FB32AC0B511356
                                          File Content Preview:.ELF....................h...4....2......4. ...(......................!...!...............!..........|...`-..........Q.td............................U..S.......[1...h........[]...$.............U......=`....t..1....$......$.......u........t...$...........`.

                                          Download Network PCAP: filteredfull

                                          • Total Packets: 8
                                          • 443 (HTTPS)
                                          • 80 (HTTP)
                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 20, 2025 13:56:54.747694016 CET43928443192.168.2.2391.189.91.42
                                          Mar 20, 2025 13:57:00.123054028 CET42836443192.168.2.2391.189.91.43
                                          Mar 20, 2025 13:57:01.146795034 CET4251680192.168.2.23109.202.202.202
                                          Mar 20, 2025 13:57:15.480952024 CET43928443192.168.2.2391.189.91.42
                                          Mar 20, 2025 13:57:25.719453096 CET42836443192.168.2.2391.189.91.43
                                          Mar 20, 2025 13:57:31.862679958 CET4251680192.168.2.23109.202.202.202
                                          Mar 20, 2025 13:57:56.435523033 CET43928443192.168.2.2391.189.91.42
                                          Mar 20, 2025 13:58:16.912615061 CET42836443192.168.2.2391.189.91.43

                                          System Behavior