Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
morte.arm6.elf

Overview

General Information

Sample name:morte.arm6.elf
Analysis ID:1646162
MD5:c4777bafee9a9f5a8f6fd407897ec93b
SHA1:07c887ad07ee4fe98ce85789ad46edaba40dedb1
SHA256:68ed701705f1fc962bf3515a235afcc792b008525a0d72f5f3f9f7ceb7d80f0d
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Okiru
Score:68
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Okiru
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646162
Start date and time:2025-03-23 13:47:16 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:morte.arm6.elf
Detection:MAL
Classification:mal68.troj.evad.linELF@0/0@2/0

Runtime Messages

Command:/tmp/morte.arm6.elf
PID:5433
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • morte.arm6.elf (PID: 5433, Parent: 5359, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/morte.arm6.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
    5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
      Process Memory Space: morte.arm6.elf PID: 5433JoeSecurity_OkiruYara detected OkiruJoe Security

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        • AV Detection
        • Networking
        • System Summary
        • Data Obfuscation
        • Hooking and other Techniques for Hiding and Protection
        • Malware Analysis System Evasion
        • Stealing of Sensitive Information
        • Remote Access Functionality

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: morte.arm6.elfReversingLabs: Detection: 41%
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
        Source: morte.arm6.elfString found in binary or memory: http://upx.sf.net
        Source: LOAD without section mappingsProgram segment: 0x8000
        Source: classification engineClassification label: mal68.troj.evad.linELF@0/0@2/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: morte.arm6.elfSubmission file: segment LOAD with 7.9838 entropy (max. 8.0)
        Source: /tmp/morte.arm6.elf (PID: 5433)Queries kernel information via 'uname': Jump to behavior
        Source: morte.arm6.elf, 5433.1.00007fffe74a3000.00007fffe74c4000.rw-.sdmpBinary or memory string: p=x86_64/usr/bin/qemu-arm/tmp/morte.arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/morte.arm6.elf
        Source: morte.arm6.elf, 5433.1.00005562f6549000.00005562f66b7000.rw-.sdmpBinary or memory string: bU!/etc/qemu-binfmt/arm
        Source: morte.arm6.elf, 5433.1.00005562f6549000.00005562f66b7000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: morte.arm6.elf, 5433.1.00007fffe74a3000.00007fffe74c4000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
        Source: morte.arm6.elf, 5433.1.00007fffe74a3000.00007fffe74c4000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: morte.arm6.elf PID: 5433, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5433.1.00007ffaa8017000.00007ffaa8038000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: morte.arm6.elf PID: 5433, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
        Obfuscated Files or Information        		OS Credential Dumping11
        Security Software Discovery        		Remote ServicesData from Local System1
        Non-Application Layer Protocol        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service

        Malware Configuration

        No configs have been found

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646162 Sample: morte.arm6.elf Startdate: 23/03/2025 Architecture: LINUX Score: 68 8 daisy.ubuntu.com 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected Okiru 2->12 14 Yara detected Gafgyt 2->14 16 Sample is packed with UPX 2->16 6 morte.arm6.elf 2->6         started        signatures3 process4

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        morte.arm6.elf42%ReversingLabsLinux.Trojan.Mirai

        Dropped Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Download Network PCAP: filteredfull

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        daisy.ubuntu.com
        		162.213.35.24
        		truefalse
          		high
          NameSourceMaliciousAntivirus DetectionReputation
          http://upx.sf.netmorte.arm6.elffalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            daisy.ubuntu.commorte.m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
            • 162.213.35.25
            sshd.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            arm6.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.24
            .i.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            drea4.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            efea6.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            boatnet.ppc.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            boatnet.m68k.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.24
            boatnet.arm7.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            boatnet.x86.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
            Entropy (8bit):7.982655989737377
            TrID:
            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
            File name:morte.arm6.elf
            File size:59'116 bytes
            MD5:c4777bafee9a9f5a8f6fd407897ec93b
            SHA1:07c887ad07ee4fe98ce85789ad46edaba40dedb1
            SHA256:68ed701705f1fc962bf3515a235afcc792b008525a0d72f5f3f9f7ceb7d80f0d
            SHA512:7d7d4514ec683765ad00c283d86a8ace17a7c9fc0ff39352cd0b684f32dcc3944a6e32f06300ca892b009e1dc7cd0b81867f0bcb408b3c1625a07ed3ea79c1ba
            SSDEEP:768:S9eXNi+8o4i2NP56kBQx7bEUYsEXVi30esw0VXiQUfDLJTPUwBHhXO9q3UELu:uiiRk2QltYhiNsw0VX3UfX5pZzLu
            TLSH:AA43F23726671D30BA73193BE7B9A1037259AABCE6F5391025D985487DCF3CE00689C7
            File Content Preview:.ELF..............(......S..4...........4. ...(..........................................*...*...*..................Q.td...............................sUPX!........0c..0c......T..........?.E.h;....#..$..1).}.*..,.|..p:...5.7.pR......|...@..+..k..YF....]..

            Static ELF Info

            ELF header

            Class:ELF32
            Data:2's complement, little endian
            Version:1 (current)
            Machine:ARM
            Version Number:0x1
            Type:EXEC (Executable file)
            OS/ABI:UNIX - Linux
            ABI Version:0
            Entry Point Address:0x153b0
            Flags:0x4000002
            ELF Header Size:52
            Program Header Offset:52
            Program Header Size:32
            Number of Program Headers:3
            Section Header Offset:0
            Section Header Size:40
            Number of Section Headers:0
            Header String Table Index:0

            Program Segments

            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
            LOAD0x00x80000x80000xe59d0xe59d7.98380x5R E0x8000
            LOAD0x2a8c0x42a8c0x42a8c0x00x00.00000x6RW 0x8000
            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

            Network Behavior

            Download Network PCAP: filteredfull

            TimestampSource PortDest PortSource IPDest IP
            Mar 23, 2025 13:48:06.330466986 CET3476053192.168.2.131.1.1.1
            Mar 23, 2025 13:48:06.330528021 CET4252653192.168.2.131.1.1.1
            Mar 23, 2025 13:48:06.430254936 CET53347601.1.1.1192.168.2.13
            Mar 23, 2025 13:48:06.431469917 CET53425261.1.1.1192.168.2.13

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Mar 23, 2025 13:48:06.330466986 CET192.168.2.131.1.1.10xc1d1Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
            Mar 23, 2025 13:48:06.330528021 CET192.168.2.131.1.1.10x6baeStandard query (0)daisy.ubuntu.com28IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Mar 23, 2025 13:48:06.430254936 CET1.1.1.1192.168.2.130xc1d1No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
            Mar 23, 2025 13:48:06.430254936 CET1.1.1.1192.168.2.130xc1d1No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

            System Behavior

            General

            Start time (UTC):12:48:05
            Start date (UTC):23/03/2025
            Path:/tmp/morte.arm6.elf
            Arguments:/tmp/morte.arm6.elf
            File size:4956856 bytes
            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

            File Activities

            Process Activities

            System Activities