Linux
Analysis Report
i486.elf
Overview
General Information
Sample name: | i486.elf |
Analysis ID: | 1646135 |
MD5: | 3f68612e145ef42a8fae216f1ded4e39 |
SHA1: | b77d1ec443425df5e40e8c256e783d258115d676 |
SHA256: | d91e6bbb3282f66f36a345fe9e1f4e1d6f295a1113fa81b457ab8a31ca3dc4f7 |
Tags: | elfuser-abuse_ch |
Infos: |
Detection
Score: | 68 |
Range: | 0 - 100 |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Sample deletes itself
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Yara signature match
Classification
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1646135 |
Start date and time: | 2025-03-23 12:16:22 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 29s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | i486.elf |
Detection: | MAL |
Classification: | mal68.troj.evad.linELF@0/0@0/0 |
Command: | /tmp/i486.elf |
PID: | 5553 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | Obliterate You |
Standard Error: |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Linux_Trojan_Mirai_3a56423b | unknown | unknown |
| |
Linux_Trojan_Mirai_6e8e9257 | unknown | unknown |
| |
Linux_Trojan_Mirai_dab39a25 | unknown | unknown |
|
⊘No Suricata rule has matched
- • AV Detection
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Networking |
---|
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Program segment: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Data Obfuscation |
---|
Source: | String containing UPX found: | ||
Source: | String containing UPX found: | ||
Source: | String containing UPX found: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File: | Jump to behavior |
Source: | Submission file: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 11 Obfuscated Files or Information | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 File Deletion | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
⊘No configs have been found
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
36% | ReversingLabs | Linux.Backdoor.Mirai |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
198.98.51.68 | unknown | United States | 53667 | PONYNETUS | true |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
198.98.51.68 | Get hash | malicious | Mirai | Browse | ||
Get hash | malicious | Mirai | Browse |
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
PONYNETUS | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 7.884949616555641 |
TrID: |
|
File name: | i486.elf |
File size: | 29'384 bytes |
MD5: | 3f68612e145ef42a8fae216f1ded4e39 |
SHA1: | b77d1ec443425df5e40e8c256e783d258115d676 |
SHA256: | d91e6bbb3282f66f36a345fe9e1f4e1d6f295a1113fa81b457ab8a31ca3dc4f7 |
SHA512: | 930a9b56dfa284908921a7496d9fb83c17ccccc250cf81a9ad05c35f61a5d11ef63ff605321666edae1147c06ef5a640010305ff11b2ea6f6ed60f55a08b16de |
SSDEEP: | 768:GAMkl2mywTPbo69Hq4x9u2yyIqSyyQbNO4KCXL:925wTPE4TyXryzlKC7 |
TLSH: | 9CD2028B60CF42CADAD4C237D8CF15DE5BA27A70579C976367306453CA8F058E1ACD14 |
File Content Preview: | .ELF.....................y..4...........4. ...(......................q...q..............H...Hm..Hm..................Q.td...............................4UPX!...................._........?d..ELF.......d.......4....4. (.......k.-.#.8......sw....t..`..@....A. |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 3 |
Section Header Offset: | 0 |
Section Header Size: | 40 |
Number of Section Headers: | 0 |
Header String Table Index: | 0 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0xc01000 | 0xc01000 | 0x71c3 | 0x71c3 | 7.8894 | 0x5 | R E | 0x1000 | ||
LOAD | 0xd48 | 0x8056d48 | 0x8056d48 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x1000 | ||
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x4 |
Download Network PCAP: filtered – full
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 23, 2025 12:17:16.882164955 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:17:16.972043037 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:17:16.972126007 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:17:16.972168922 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:17:17.064136028 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:17:17.064210892 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:17:17.154001951 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:17:26.978599072 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:17:27.068337917 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:17:27.068391085 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:17:27.068438053 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:17:42.193872929 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:17:42.193974018 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:17:57.283355951 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:17:57.283690929 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:18:12.373177052 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:18:12.373752117 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:18:27.117918015 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:18:27.208148003 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:18:27.208271027 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:18:42.353029966 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:18:42.353163004 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:18:57.442672968 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:18:57.443048000 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
Mar 23, 2025 12:19:12.533006907 CET | 23451 | 38590 | 198.98.51.68 | 192.168.2.15 |
Mar 23, 2025 12:19:12.533468008 CET | 38590 | 23451 | 192.168.2.15 | 198.98.51.68 |
System Behavior
Start time (UTC): | 11:17:15 |
Start date (UTC): | 23/03/2025 |
Path: | /tmp/i486.elf |
Arguments: | /tmp/i486.elf |
File size: | 29384 bytes |
MD5 hash: | 3f68612e145ef42a8fae216f1ded4e39 |
Start time (UTC): | 11:17:15 |
Start date (UTC): | 23/03/2025 |
Path: | /tmp/i486.elf |
Arguments: | - |
File size: | 29384 bytes |
MD5 hash: | 3f68612e145ef42a8fae216f1ded4e39 |
Start time (UTC): | 11:17:15 |
Start date (UTC): | 23/03/2025 |
Path: | /tmp/i486.elf |
Arguments: | - |
File size: | 29384 bytes |
MD5 hash: | 3f68612e145ef42a8fae216f1ded4e39 |
Start time (UTC): | 11:17:15 |
Start date (UTC): | 23/03/2025 |
Path: | /tmp/i486.elf |
Arguments: | - |
File size: | 29384 bytes |
MD5 hash: | 3f68612e145ef42a8fae216f1ded4e39 |