Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
686i.elf

Overview

General Information

Sample name:686i.elf
Analysis ID:1644265
MD5:1563f8c6a0b944489c6c99624ea50067
SHA1:7e7b91e995a2ac9c7528d1507e1814b9ada6066e
SHA256:1e414076b74be957f5d4e28f36c300654b741a27f44552f408b89f0f1de90ad2
Tags:elfuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:48
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644265
Start date and time:2025-03-20 13:56:02 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:686i.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0
  • No process behavior to analyse as no analysis process or sample was found

Runtime Messages

Command:/tmp/686i.elf
PID:6258
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
686i.elfLinux_Trojan_Gafgyt_83715433unknownunknown
  • 0x17af:$a: 8B 45 08 88 10 FF 45 08 8B 45 08 0F B6 00 84 C0 75 DB C9 C3 55
686i.elfLinux_Trojan_Tsunami_0fa3a6e9unknownunknown
  • 0x2747:$a: EC 8B 55 EC C1 FA 10 0F B7 45 EC 01 C2 89 55 EC 8B 45 EC C1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Networking
  • System Summary

Click to jump to signature section

Show All Signature Results
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Source: 686i.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_83715433 Author: unknown
Source: 686i.elf, type: SAMPLEMatched rule: Linux_Trojan_Tsunami_0fa3a6e9 Author: unknown
Source: 686i.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_83715433 reference_sample = 3648a407224634d76e82eceec84250a7506720a7f43a6ccf5873f478408fedba, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 25ac15f4b903d9e28653dad0db399ebd20d4e9baabf5078fbc33d3cd838dd7e9, id = 83715433-3dff-4238-8cdb-c51279565e05, last_modified = 2021-09-16
Source: 686i.elf, type: SAMPLEMatched rule: Linux_Trojan_Tsunami_0fa3a6e9 reference_sample = 40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = fed796c5275e2e91c75dcdbf73d0c0ab37591115989312c6f6c5adcd138bc91f, id = 0fa3a6e9-89f3-4bc8-8dc1-e9ccbeeb836d, last_modified = 2021-09-16
Source: classification engineClassification label: mal48.linELF@0/0@0/0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644265 Sample: 686i.elf Startdate: 20/03/2025 Architecture: LINUX Score: 48 6 109.202.202.202, 80 INIT7CH Switzerland 2->6 8 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->8 10 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->10 12 Malicious sample detected (through community Yara rule) 2->12 signatures3

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
686i.elf6%VirustotalBrowse
686i.elf8%ReversingLabs

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43Space.sh4.elfGet hashmaliciousUnknownBrowse
    Space.m68k.elfGet hashmaliciousMiraiBrowse
      smips.elfGet hashmaliciousUnknownBrowse
        psmpsl.elfGet hashmaliciousUnknownBrowse
          yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
            yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
              .5r3fqt67ew531has4231.m68k.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                .5r3fqt67ew531has4231.ppc.elfGet hashmaliciousUnknownBrowse
                  main_m68k.elfGet hashmaliciousMiraiBrowse
                    m68k.elfGet hashmaliciousUnknownBrowse
                      91.189.91.42Space.sh4.elfGet hashmaliciousUnknownBrowse
                        Space.m68k.elfGet hashmaliciousMiraiBrowse
                          mips.elfGet hashmaliciousUnknownBrowse
                            smips.elfGet hashmaliciousUnknownBrowse
                              psmpsl.elfGet hashmaliciousUnknownBrowse
                                yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    yakuza.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      .5r3fqt67ew531has4231.mpsl.elfGet hashmaliciousUnknownBrowse
                                        .5r3fqt67ew531has4231.m68k.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGBSpace.x86_64.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          sshd.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          Space.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          Space.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          smips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          psmpsl.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          .5r3fqt67ew531has4231.sh4.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                          • 185.125.190.26
                                          yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBSpace.x86_64.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          sshd.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          Space.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          Space.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          smips.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          psmpsl.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          .5r3fqt67ew531has4231.sh4.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                          • 185.125.190.26
                                          yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 91.189.91.42
                                          INIT7CHSpace.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          Space.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          mips.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          smips.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          psmpsl.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 109.202.202.202
                                          yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 109.202.202.202
                                          yakuza.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 109.202.202.202
                                          .5r3fqt67ew531has4231.mpsl.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          .5r3fqt67ew531has4231.m68k.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                          • 109.202.202.202

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, missing section headers at 79084
                                          Entropy (8bit):6.287680385832658
                                          TrID:
                                          • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                          • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                          File name:686i.elf
                                          File size:52'617 bytes
                                          MD5:1563f8c6a0b944489c6c99624ea50067
                                          SHA1:7e7b91e995a2ac9c7528d1507e1814b9ada6066e
                                          SHA256:1e414076b74be957f5d4e28f36c300654b741a27f44552f408b89f0f1de90ad2
                                          SHA512:85b07eaf9a0aa62a125c3e5be967fe2496cac91bcd46a3d899195799b11dca5e3531886af8b32d46cbcd5248ce22712b9833f881a0f142a4f3a3d6d239dad2e6
                                          SSDEEP:1536:kFPlxndf22h/xxaH333j3kaN1W7N+YRApCMS:kFPlxndf22h/xwXnTkai7MYRApCD
                                          TLSH:07332C0BEA02D2F6EC4716B2516BE3BF933166399460CD5DEB942D28FB32AC0B511356
                                          File Content Preview:.ELF....................h...4....2......4. ...(......................!...!...............!..........|...`-..........Q.td............................U..S.......[1...h........[]...$.............U......=`....t..1....$......$.......u........t...$...........`.

                                          Network Behavior

                                          Download Network PCAP: filteredfull

                                          Network Port Distribution

                                          • Total Packets: 8
                                          • 443 (HTTPS)
                                          • 80 (HTTP)
                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 20, 2025 13:56:54.747694016 CET43928443192.168.2.2391.189.91.42
                                          Mar 20, 2025 13:57:00.123054028 CET42836443192.168.2.2391.189.91.43
                                          Mar 20, 2025 13:57:01.146795034 CET4251680192.168.2.23109.202.202.202
                                          Mar 20, 2025 13:57:15.480952024 CET43928443192.168.2.2391.189.91.42
                                          Mar 20, 2025 13:57:25.719453096 CET42836443192.168.2.2391.189.91.43
                                          Mar 20, 2025 13:57:31.862679958 CET4251680192.168.2.23109.202.202.202
                                          Mar 20, 2025 13:57:56.435523033 CET43928443192.168.2.2391.189.91.42
                                          Mar 20, 2025 13:58:16.912615061 CET42836443192.168.2.2391.189.91.43

                                          System Behavior