Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
arm5.elf

Overview

General Information

Sample name:arm5.elf
Analysis ID:1644294
MD5:dc23dd9f93cb6fae3e8a04a09ef787c7
SHA1:225f05cf42febb3fd93a426eb80082fdf32e5df2
SHA256:f63c91b9438dca7f6536404b3404a6019aa8be95e89e63f75c493d5f16db890d
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644294
Start date and time:2025-03-20 14:24:03 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 22s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm5.elf
Detection:MAL
Classification:mal56.linELF@0/0@2/0

Runtime Messages

Command:/tmp/arm5.elf
PID:5421
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • arm5.elf (PID: 5421, Parent: 5342, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5.elf
  • dash New Fork (PID: 5509, Parent: 3589)
  • rm (PID: 5509, Parent: 3589, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.vzlfepkIjS /tmp/tmp.kPG5a446x2 /tmp/tmp.d1EHPtTiJK
  • dash New Fork (PID: 5510, Parent: 3589)
  • rm (PID: 5510, Parent: 3589, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.vzlfepkIjS /tmp/tmp.kPG5a446x2 /tmp/tmp.d1EHPtTiJK
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: arm5.elfAvira: detected
Source: arm5.elfVirustotal: Detection: 53%Perma Link
Source: arm5.elfReversingLabs: Detection: 44%
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58876
Source: unknownNetwork traffic detected: HTTP traffic on port 58876 -> 443
Source: LOAD without section mappingsProgram segment: 0x8000
Source: classification engineClassification label: mal56.linELF@0/0@2/0
Source: /usr/bin/dash (PID: 5509)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.vzlfepkIjS /tmp/tmp.kPG5a446x2 /tmp/tmp.d1EHPtTiJKJump to behavior
Source: /usr/bin/dash (PID: 5510)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.vzlfepkIjS /tmp/tmp.kPG5a446x2 /tmp/tmp.d1EHPtTiJKJump to behavior
Source: arm5.elfSubmission file: segment LOAD with 7.9615 entropy (max. 8.0)
Source: /tmp/arm5.elf (PID: 5421)Queries kernel information via 'uname': Jump to behavior
Source: arm5.elf, 5421.1.00007ffd0268b000.00007ffd026ac000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5.elf
Source: arm5.elf, 5421.1.0000563a7e218000.0000563a7e346000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm5.elf, 5421.1.00007ffd0268b000.00007ffd026ac000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm5.elf, 5421.1.0000563a7e218000.0000563a7e346000.rw-.sdmpBinary or memory string: "~:V!/etc/qemu-binfmt/arm
Source: arm5.elf, 5421.1.00007ffd0268b000.00007ffd026ac000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
File Deletion		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644294 Sample: arm5.elf Startdate: 20/03/2025 Architecture: LINUX Score: 56 12 54.171.230.55, 443, 58876 AMAZON-02US United States 2->12 14 daisy.ubuntu.com 2->14 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 6 dash rm 2->6         started        8 dash rm 2->8         started        10 arm5.elf 2->10         started        signatures3 process4

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
arm5.elf53%VirustotalBrowse
arm5.elf44%ReversingLabsLinux.Trojan.Mirai
arm5.elf100%AviraEXP/ELF.Agent.F.14

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    54.171.230.55
    		unknownUnited States
    		16509AMAZON-02USfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    54.171.230.55na.elfGet hashmaliciousPrometeiBrowse
      hoho.powerpc.elfGet hashmaliciousUnknownBrowse
        Space.arm6.elfGet hashmaliciousUnknownBrowse
          smips.elfGet hashmaliciousUnknownBrowse
            psmips.elfGet hashmaliciousUnknownBrowse
              yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                main_mpsl.elfGet hashmaliciousMiraiBrowse
                  i.elfGet hashmaliciousMiraiBrowse
                    arc.elfGet hashmaliciousMiraiBrowse
                      aarch64.elfGet hashmaliciousMiraiBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comhoho.m68k.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        hoho.mipsel.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        hoho.armv7l.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        miner.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        hoho.i586.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        hoho.i686.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        sshd.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        Space.spc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        Nyx4r.arm6.elfGet hashmaliciousOkiruBrowse
                        • 162.213.35.24
                        Nyx4r.m68k.elfGet hashmaliciousOkiruBrowse
                        • 162.213.35.25

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AMAZON-02UShoho.x86.elfGet hashmaliciousUnknownBrowse
                        • 54.119.141.49
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 54.255.164.76
                        hoho.armv4l.elfGet hashmaliciousUnknownBrowse
                        • 35.157.3.245
                        hoho.armv6l.elfGet hashmaliciousUnknownBrowse
                        • 34.249.145.219
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 34.243.160.129
                        miner.elfGet hashmaliciousUnknownBrowse
                        • 34.243.160.129
                        hoho.powerpc.elfGet hashmaliciousUnknownBrowse
                        • 54.171.230.55
                        hoho.sparc.elfGet hashmaliciousUnknownBrowse
                        • 52.35.74.180
                        hoho.sh4.elfGet hashmaliciousUnknownBrowse
                        • 52.222.196.136
                        Space.ppc.elfGet hashmaliciousUnknownBrowse
                        • 34.249.145.219

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
                        Entropy (8bit):7.959363221743005
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:arm5.elf
                        File size:35'324 bytes
                        MD5:dc23dd9f93cb6fae3e8a04a09ef787c7
                        SHA1:225f05cf42febb3fd93a426eb80082fdf32e5df2
                        SHA256:f63c91b9438dca7f6536404b3404a6019aa8be95e89e63f75c493d5f16db890d
                        SHA512:3269269f34a171bd2e5204ac19a1a405b95890fc991e10625ebbb538eaffae54c847192184625064bd6d26cdaf5ffccd1acb049b3e7d227f2064af4c1c37214b
                        SSDEEP:768:InA87gQNdIgTpk7mVPRVxxgDqlhqR7CmTIS+90mzKU+8BAh3Uo:IwQNugTCYPRfx169tIS80mS2+
                        TLSH:C3F2F1B1FB85E1F182E28C7684EC06C83339D9F1D98B343E9B2C62EA504155762C5A67
                        File Content Preview:.ELF...a..........(.........4...........4. ...(.....................................................................Q.td..............................q.YTS.@.......x%..x%......R..........?.E.h;.}...^..........fQ.B.1...........7.....5$.Ud....2..6Th..."....

                        Static ELF Info

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:ARM
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:ARM - ABI
                        ABI Version:0
                        Entry Point Address:0xf7d4
                        Flags:0x2
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:3
                        Section Header Offset:0
                        Section Header Size:40
                        Number of Section Headers:0
                        Header String Table Index:0

                        Program Segments

                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x80000x80000x89080x89087.96150x5R E0x8000
                        LOAD0x00x180000x180000x00x108880.00000x6RW 0x8000
                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                        Network Behavior

                        Download Network PCAP: filteredfull

                        Network Port Distribution

                        • Total Packets: 6
                        • 443 (HTTPS)
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 20, 2025 14:25:11.054430008 CET58876443192.168.2.1354.171.230.55
                        Mar 20, 2025 14:25:11.054470062 CET4435887654.171.230.55192.168.2.13
                        Mar 20, 2025 14:25:11.054610968 CET58876443192.168.2.1354.171.230.55
                        Mar 20, 2025 14:25:11.056737900 CET58876443192.168.2.1354.171.230.55
                        Mar 20, 2025 14:25:11.056756973 CET4435887654.171.230.55192.168.2.13
                        Mar 20, 2025 14:26:11.054718971 CET58876443192.168.2.1354.171.230.55
                        Mar 20, 2025 14:26:11.096323967 CET4435887654.171.230.55192.168.2.13
                        Mar 20, 2025 14:26:47.502278090 CET4435887654.171.230.55192.168.2.13
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 20, 2025 14:24:46.384062052 CET4574853192.168.2.131.1.1.1
                        Mar 20, 2025 14:24:46.384114027 CET4882553192.168.2.131.1.1.1
                        Mar 20, 2025 14:24:46.482556105 CET53488251.1.1.1192.168.2.13
                        Mar 20, 2025 14:24:46.553894997 CET53457481.1.1.1192.168.2.13

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 20, 2025 14:24:46.384062052 CET192.168.2.131.1.1.10xececStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 20, 2025 14:24:46.384114027 CET192.168.2.131.1.1.10x9346Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 20, 2025 14:24:46.553894997 CET1.1.1.1192.168.2.130xececNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Mar 20, 2025 14:24:46.553894997 CET1.1.1.1192.168.2.130xececNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):13:24:43
                        Start date (UTC):20/03/2025
                        Path:/tmp/arm5.elf
                        Arguments:/tmp/arm5.elf
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        File Activities

                        Process Activities

                        System Activities


                        General

                        Start time (UTC):13:26:10
                        Start date (UTC):20/03/2025
                        Path:/usr/bin/dash
                        Arguments:-
                        File size:129816 bytes
                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                        Process Activities


                        General

                        Start time (UTC):13:26:10
                        Start date (UTC):20/03/2025
                        Path:/usr/bin/rm
                        Arguments:rm -f /tmp/tmp.vzlfepkIjS /tmp/tmp.kPG5a446x2 /tmp/tmp.d1EHPtTiJK
                        File size:72056 bytes
                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                        File Activities


                        General

                        Start time (UTC):13:26:10
                        Start date (UTC):20/03/2025
                        Path:/usr/bin/dash
                        Arguments:-
                        File size:129816 bytes
                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                        Process Activities


                        General

                        Start time (UTC):13:26:10
                        Start date (UTC):20/03/2025
                        Path:/usr/bin/rm
                        Arguments:rm -f /tmp/tmp.vzlfepkIjS /tmp/tmp.kPG5a446x2 /tmp/tmp.d1EHPtTiJK
                        File size:72056 bytes
                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                        File Activities