Edit tour

Linux Analysis Report
morte.arm6.elf

Overview

General Information

Sample name:morte.arm6.elf
Analysis ID:1646162
MD5:c4777bafee9a9f5a8f6fd407897ec93b
SHA1:07c887ad07ee4fe98ce85789ad46edaba40dedb1
SHA256:68ed701705f1fc962bf3515a235afcc792b008525a0d72f5f3f9f7ceb7d80f0d
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Okiru
Score:68
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Okiru
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646162
Start date and time:2025-03-23 13:47:16 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:morte.arm6.elf
Detection:MAL
Classification:mal68.troj.evad.linELF@0/0@2/0
Command:/tmp/morte.arm6.elf
PID:5433
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • system is lnxubuntu20
  • morte.arm6.elf (PID: 5433, Parent: 5359, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/morte.arm6.elf
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
SourceRuleDescriptionAuthorStrings
5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
    5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
      Process Memory Space: morte.arm6.elf PID: 5433JoeSecurity_OkiruYara detected OkiruJoe Security
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: morte.arm6.elfReversingLabs: Detection: 41%
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
        Source: morte.arm6.elfString found in binary or memory: http://upx.sf.net
        Source: LOAD without section mappingsProgram segment: 0x8000
        Source: classification engineClassification label: mal68.troj.evad.linELF@0/0@2/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: morte.arm6.elfSubmission file: segment LOAD with 7.9838 entropy (max. 8.0)
        Source: /tmp/morte.arm6.elf (PID: 5433)Queries kernel information via 'uname': Jump to behavior
        Source: morte.arm6.elf, 5433.1.00007fffe74a3000.00007fffe74c4000.rw-.sdmpBinary or memory string: p=x86_64/usr/bin/qemu-arm/tmp/morte.arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/morte.arm6.elf
        Source: morte.arm6.elf, 5433.1.00005562f6549000.00005562f66b7000.rw-.sdmpBinary or memory string: bU!/etc/qemu-binfmt/arm
        Source: morte.arm6.elf, 5433.1.00005562f6549000.00005562f66b7000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: morte.arm6.elf, 5433.1.00007fffe74a3000.00007fffe74c4000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
        Source: morte.arm6.elf, 5433.1.00007fffe74a3000.00007fffe74c4000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: morte.arm6.elf PID: 5433, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: morte.arm6.elf PID: 5433, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
        Obfuscated Files or Information
        OS Credential Dumping11
        Security Software Discovery
        Remote ServicesData from Local System1
        Non-Application Layer Protocol
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Application Layer Protocol
        Exfiltration Over BluetoothNetwork Denial of Service
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646162 Sample: morte.arm6.elf Startdate: 23/03/2025 Architecture: LINUX Score: 68 8 daisy.ubuntu.com 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected Okiru 2->12 14 Yara detected Gafgyt 2->14 16 Sample is packed with UPX 2->16 6 morte.arm6.elf 2->6         started        signatures3 process4
        SourceDetectionScannerLabelLink
        morte.arm6.elf42%ReversingLabsLinux.Trojan.Mirai
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches

        Download Network PCAP: filteredfull

        NameIPActiveMaliciousAntivirus DetectionReputation
        daisy.ubuntu.com
        162.213.35.24
        truefalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://upx.sf.netmorte.arm6.elffalse
            high
            No contacted IP infos
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            daisy.ubuntu.commorte.m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
            • 162.213.35.25
            sshd.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            arm6.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.24
            .i.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            drea4.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            efea6.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            boatnet.ppc.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            boatnet.m68k.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.24
            boatnet.arm7.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            boatnet.x86.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            No context
            No context
            No context
            No created / dropped files found
            File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
            Entropy (8bit):7.982655989737377
            TrID:
            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
            File name:morte.arm6.elf
            File size:59'116 bytes
            MD5:c4777bafee9a9f5a8f6fd407897ec93b
            SHA1:07c887ad07ee4fe98ce85789ad46edaba40dedb1
            SHA256:68ed701705f1fc962bf3515a235afcc792b008525a0d72f5f3f9f7ceb7d80f0d
            SHA512:7d7d4514ec683765ad00c283d86a8ace17a7c9fc0ff39352cd0b684f32dcc3944a6e32f06300ca892b009e1dc7cd0b81867f0bcb408b3c1625a07ed3ea79c1ba
            SSDEEP:768:S9eXNi+8o4i2NP56kBQx7bEUYsEXVi30esw0VXiQUfDLJTPUwBHhXO9q3UELu:uiiRk2QltYhiNsw0VX3UfX5pZzLu
            TLSH:AA43F23726671D30BA73193BE7B9A1037259AABCE6F5391025D985487DCF3CE00689C7
            File Content Preview:.ELF..............(......S..4...........4. ...(..........................................*...*...*..................Q.td...............................sUPX!........0c..0c......T..........?.E.h;....#..$..1).}.*..,.|..p:...5.7.pR......|...@..+..k..YF....]..

            ELF header

            Class:ELF32
            Data:2's complement, little endian
            Version:1 (current)
            Machine:ARM
            Version Number:0x1
            Type:EXEC (Executable file)
            OS/ABI:UNIX - Linux
            ABI Version:0
            Entry Point Address:0x153b0
            Flags:0x4000002
            ELF Header Size:52
            Program Header Offset:52
            Program Header Size:32
            Number of Program Headers:3
            Section Header Offset:0
            Section Header Size:40
            Number of Section Headers:0
            Header String Table Index:0
            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
            LOAD0x00x80000x80000xe59d0xe59d7.98380x5R E0x8000
            LOAD0x2a8c0x42a8c0x42a8c0x00x00.00000x6RW 0x8000
            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

            Download Network PCAP: filteredfull

            TimestampSource PortDest PortSource IPDest IP
            Mar 23, 2025 13:48:06.330466986 CET3476053192.168.2.131.1.1.1
            Mar 23, 2025 13:48:06.330528021 CET4252653192.168.2.131.1.1.1
            Mar 23, 2025 13:48:06.430254936 CET53347601.1.1.1192.168.2.13
            Mar 23, 2025 13:48:06.431469917 CET53425261.1.1.1192.168.2.13
            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Mar 23, 2025 13:48:06.330466986 CET192.168.2.131.1.1.10xc1d1Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
            Mar 23, 2025 13:48:06.330528021 CET192.168.2.131.1.1.10x6baeStandard query (0)daisy.ubuntu.com28IN (0x0001)false
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Mar 23, 2025 13:48:06.430254936 CET1.1.1.1192.168.2.130xc1d1No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
            Mar 23, 2025 13:48:06.430254936 CET1.1.1.1192.168.2.130xc1d1No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

            System Behavior

            Start time (UTC):12:48:05
            Start date (UTC):23/03/2025
            Path:/tmp/morte.arm6.elf
            Arguments:/tmp/morte.arm6.elf
            File size:4956856 bytes
            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1