Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
x.rar.elf

Overview

General Information

Sample name:x.rar.elf
Analysis ID:1645463
MD5:6c8a16ed9f183d652e44b33fba9b2f88
SHA1:20fbc68f08c22b5fa5152adbfb12e8177d507d6a
SHA256:eaf3671ee1af8990aa354f3bdc34a72192d56039105e4b1668fa0eec148bb716
Tags:elfuser-abuse_ch
Infos:

Detection

Xmrig
Score:68
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Executes the "rm" command used to delete files or directories
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1645463
Start date and time:2025-03-21 19:28:02 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 19s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:x.rar.elf
Detection:MAL
Classification:mal68.mine.linELF@0/0@0/0

Runtime Messages

Command:/tmp/x.rar.elf
PID:5480
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 5520, Parent: 3632)
  • rm (PID: 5520, Parent: 3632, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.QH7mnZeNQY /tmp/tmp.SePge9FzMC /tmp/tmp.x4B175S2RO
  • dash New Fork (PID: 5521, Parent: 3632)
  • rm (PID: 5521, Parent: 3632, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.QH7mnZeNQY /tmp/tmp.SePge9FzMC /tmp/tmp.x4B175S2RO
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XMRIGNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
x.rar.elfJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    x.rar.elfLinux_Trojan_Pornoasset_927f314funknownunknown
    • 0x253818:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
    x.rar.elfMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0x4fb254:$a1: mining.set_target
    • 0x4ed815:$a2: XMRIG_HOSTNAME
    • 0x4f0568:$a3: Usage: xmrig [OPTIONS]
    • 0x4ed7f6:$a4: XMRIG_VERSION
    x.rar.elfminer_lin_xmrig_stringsDetects XMRig ELFSekoia.io
    • 0x4f049a:$: XMRig
    • 0x4f1d68:$: XMRig
    • 0x4f23f8:$: pool_wallet
    • 0x4f242e:$: IP Address currently banned
    • 0x4f245f:$: rigid
    • 0x4f2c8e:$: diff_current
    • 0x4f2c9b:$: shares_good
    • 0x4f2ca7:$: shares_total
    • 0x4f2cb4:$: avg_time
    • 0x4f2cbd:$: avg_time
    • 0x4f2cbd:$: avg_time_ms
    • 0x4f2cc9:$: hashes_total
    • 0x4f2d8c:$: pool address
    • 0x4f2d99:$: ping time
    • 0x4f2da3:$: connection time
    • 0x55b168:$: connection time
    • 0x4f3080:$: daemon+https://
    • 0x4f3090:$: daemon+http://
    • 0x4f30a0:$: socks5://
    • 0x4f0168:$: stratum+ssl://
    • 0x4f30b0:$: stratum+ssl://

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    • AV Detection
    • Bitcoin Miner
    • Networking
    • System Summary
    • Persistence and Installation Behavior

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: x.rar.elfVirustotal: Detection: 44%Perma Link
    Source: x.rar.elfReversingLabs: Detection: 33%

    Bitcoin Miner

    barindex
    Source: Yara matchFile source: x.rar.elf, type: SAMPLE
    Source: x.rar.elfString found in binary or memory: stratum+ssl://randomx.xmrig.com:443
    Source: x.rar.elfString found in binary or memory: cryptonight/0
    Source: x.rar.elfString found in binary or memory: -o, --url=URL URL of mining server
    Source: x.rar.elfString found in binary or memory: stratum+tcp://
    Source: x.rar.elfString found in binary or memory: Usage: xmrig [OPTIONS]
    Source: x.rar.elfString found in binary or memory: XMRig 6.18.1
    Source: unknownTCP traffic detected without corresponding DNS query: 34.254.182.186
    Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
    Source: unknownTCP traffic detected without corresponding DNS query: 34.254.182.186
    Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
    Source: x.rar.elfString found in binary or memory: https://gcc.gnu.org/bugs/):
    Source: x.rar.elfString found in binary or memory: https://xmrig.com/benchmark/%s
    Source: x.rar.elfString found in binary or memory: https://xmrig.com/docs/algorithms
    Source: x.rar.elfString found in binary or memory: https://xmrig.com/wizard
    Source: x.rar.elfString found in binary or memory: https://xmrig.com/wizard%s
    Source: unknownNetwork traffic detected: HTTP traffic on port 59322 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59322
    Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443

    System Summary

    barindex
    Source: x.rar.elf, type: SAMPLEMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
    Source: x.rar.elf, type: SAMPLEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
    Source: x.rar.elf, type: SAMPLEMatched rule: Detects XMRig ELF Author: Sekoia.io
    Source: x.rar.elf, type: SAMPLEMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
    Source: x.rar.elf, type: SAMPLEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
    Source: x.rar.elf, type: SAMPLEMatched rule: miner_lin_xmrig_strings author = Sekoia.io, description = Detects XMRig ELF, creation_date = 2022-09-08, classification = TLP:CLEAR, version = 1.0, modification_date = 2024-01-04, id = 2f99020b-424c-4433-860c-5e9ab4e1f1de
    Source: classification engineClassification label: mal68.mine.linELF@0/0@0/0
    Source: /usr/bin/dash (PID: 5520)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.QH7mnZeNQY /tmp/tmp.SePge9FzMC /tmp/tmp.x4B175S2ROJump to behavior
    Source: /usr/bin/dash (PID: 5521)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.QH7mnZeNQY /tmp/tmp.SePge9FzMC /tmp/tmp.x4B175S2ROJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
    File Deletion    		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645463 Sample: x.rar.elf Startdate: 21/03/2025 Architecture: LINUX Score: 68 10 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->10 12 34.254.182.186, 443, 59322 AMAZON-02US United States 2->12 14 Malicious sample detected (through community Yara rule) 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 Yara detected Xmrig cryptocurrency miner 2->18 20 Found strings related to Crypto-Mining 2->20 6 dash rm 2->6         started        8 dash rm 2->8         started        signatures3 process4

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    x.rar.elf45%VirustotalBrowse
    x.rar.elf33%ReversingLabsLinux.Hacktool.Multiverze

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Download Network PCAP: filteredfull

    Contacted Domains

    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    https://gcc.gnu.org/bugs/):x.rar.elffalse
      		high
      https://xmrig.com/benchmark/%sx.rar.elffalse
        		high
        https://xmrig.com/wizardx.rar.elffalse
          		high
          https://xmrig.com/wizard%sx.rar.elffalse
            		high
            https://xmrig.com/docs/algorithmsx.rar.elffalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              185.125.190.26
              		unknownUnited Kingdom
              		41231CANONICAL-ASGBfalse
              34.254.182.186
              		unknownUnited States
              		16509AMAZON-02USfalse

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              185.125.190.26na.elfGet hashmaliciousPrometeiBrowse
                46.19.143.26-mips-2025-03-01T06_09_25.elfGet hashmaliciousUnknownBrowse
                  boatnet.spc.elfGet hashmaliciousMiraiBrowse
                    sshd.elfGet hashmaliciousUnknownBrowse
                      hiss.mips.elfGet hashmaliciousUnknownBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            na.elfGet hashmaliciousPrometeiBrowse
                              na.elfGet hashmaliciousPrometeiBrowse
                                Space.arm.elfGet hashmaliciousMiraiBrowse
                                  34.254.182.186na.elfGet hashmaliciousPrometeiBrowse
                                    main_x86_64.elfGet hashmaliciousUnknownBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        miner.elfGet hashmaliciousUnknownBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            Space.arm5.elfGet hashmaliciousUnknownBrowse
                                              arm.elfGet hashmaliciousUnknownBrowse
                                                bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                  hiss.arm7.elfGet hashmaliciousUnknownBrowse
                                                    resgod.mpsl.elfGet hashmaliciousMiraiBrowse

                                                      Domains

                                                      No context

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      AMAZON-02USScanned Inv#118953-0012345.svgGet hashmaliciousHTMLPhisherBrowse
                                                      • 13.33.252.45
                                                      jwyt4py98x.arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 34.249.145.219
                                                      jwyt4py98x.mips.elfGet hashmaliciousMiraiBrowse
                                                      • 54.171.230.55
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 52.212.150.54
                                                      EvaxLAF.exe1.exeGet hashmaliciousVidarBrowse
                                                      • 108.138.128.77
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 34.249.145.219
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 54.247.62.1
                                                      https://themsls.orgGet hashmaliciousUnknownBrowse
                                                      • 13.33.252.92
                                                      fJkp8HnAFY.dllGet hashmaliciousGhostRatBrowse
                                                      • 18.163.117.227
                                                      iR19HYdDBF.dllGet hashmaliciousGhostRatBrowse
                                                      • 18.163.117.227
                                                      CANONICAL-ASGBjwyt4py98x.arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      jwyt4py98x.mips.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 185.125.190.26
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      No created / dropped files found

                                                      Static File Info

                                                      General

                                                      File type:ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, missing section headers at 7022752
                                                      Entropy (8bit):6.49804316555513
                                                      TrID:
                                                      • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
                                                      • ELF Executable and Linkable format (generic) (4004/1) 49.46%
                                                      • Lumena CEL bitmap (63/63) 0.78%
                                                      File name:x.rar.elf
                                                      File size:6'730'560 bytes
                                                      MD5:6c8a16ed9f183d652e44b33fba9b2f88
                                                      SHA1:20fbc68f08c22b5fa5152adbfb12e8177d507d6a
                                                      SHA256:eaf3671ee1af8990aa354f3bdc34a72192d56039105e4b1668fa0eec148bb716
                                                      SHA512:4e6b9da4f3654e079731b771e507647d494e9c3e0a587c3525690aa491bb26f3fe00b4434ace31a872df552b2912ae0619ebf9028754f681849c35ed8fb626d8
                                                      SSDEEP:98304:hVqJqQZKp/WfHooDvDvD0D9HT7TJ7itKaEub6KBsiMZSx784ZYjRPE3PE3PEXb2j:qJQWr7M0yGW5yrLz8yCSPfV+iDK0FKzj
                                                      TLSH:CB666D07B5A358FCC1AAC870865FD573BD70B8984211797B3694AB302F27E605B1DFA2
                                                      File Content Preview:.ELF..............>......z......@........"k.........@.8...@.............................................................................................^.H.....^.H.......................N.......N.......N.....-T......-T........................g......,g....

                                                      Network Behavior

                                                      Download Network PCAP: filteredfull

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Mar 21, 2025 19:28:45.681895971 CET59322443192.168.2.1434.254.182.186
                                                      Mar 21, 2025 19:28:51.570163012 CET46540443192.168.2.14185.125.190.26
                                                      Mar 21, 2025 19:29:10.148401976 CET59322443192.168.2.1434.254.182.186
                                                      Mar 21, 2025 19:29:10.338776112 CET4435932234.254.182.186192.168.2.14
                                                      Mar 21, 2025 19:29:22.548233032 CET46540443192.168.2.14185.125.190.26

                                                      System Behavior

                                                      General

                                                      Start time (UTC):18:29:09
                                                      Start date (UTC):21/03/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Process Activities


                                                      General

                                                      Start time (UTC):18:29:09
                                                      Start date (UTC):21/03/2025
                                                      Path:/usr/bin/rm
                                                      Arguments:rm -f /tmp/tmp.QH7mnZeNQY /tmp/tmp.SePge9FzMC /tmp/tmp.x4B175S2RO
                                                      File size:72056 bytes
                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                      File Activities


                                                      General

                                                      Start time (UTC):18:29:09
                                                      Start date (UTC):21/03/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Process Activities


                                                      General

                                                      Start time (UTC):18:29:09
                                                      Start date (UTC):21/03/2025
                                                      Path:/usr/bin/rm
                                                      Arguments:rm -f /tmp/tmp.QH7mnZeNQY /tmp/tmp.SePge9FzMC /tmp/tmp.x4B175S2RO
                                                      File size:72056 bytes
                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                      File Activities