Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
ppc.elf

Overview

General Information

Sample name:ppc.elf
Analysis ID:1646213
MD5:d9ea67c781436e1622cea76086ec1bc9
SHA1:2c82d0c28ce7757c13a292af632e5a2c108c2257
SHA256:cdcc19eec2ff0e5d6adc583fbad096b2ad524e96a4fd2fa713c57ec76335e38e
Tags:elfuser-abuse_ch
Infos:

Detection

Score:68
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Sample deletes itself
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646213
Start date and time:2025-03-23 17:07:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:ppc.elf
Detection:MAL
Classification:mal68.troj.evad.linELF@0/0@0/0

Runtime Messages

Command:/tmp/ppc.elf
PID:5435
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Obliterate You
Standard Error:

Process Tree

  • system is lnxubuntu20
  • ppc.elf (PID: 5435, Parent: 5349, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/ppc.elf
    • ppc.elf New Fork (PID: 5438, Parent: 5435)
      • ppc.elf New Fork (PID: 5440, Parent: 5438)
        • ppc.elf New Fork (PID: 5442, Parent: 5440)
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ppc.elfAvira: detected
Source: ppc.elfVirustotal: Detection: 39%Perma Link
Source: ppc.elfReversingLabs: Detection: 50%

Networking

barindex
Source: global trafficTCP traffic: 198.98.51.68 ports 1,2,3,4,5,23451
Source: global trafficTCP traffic: 192.168.2.13:38802 -> 198.98.51.68:23451
Source: /tmp/ppc.elf (PID: 5435)Socket: 127.0.0.1:23451Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: unknownTCP traffic detected without corresponding DNS query: 198.98.51.68
Source: ppc.elfString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x100000
Source: classification engineClassification label: mal68.troj.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/ppc.elf (PID: 5435)File: /tmp/ppc.elfJump to behavior
Source: ppc.elfSubmission file: segment LOAD with 7.9344 entropy (max. 8.0)
Source: /tmp/ppc.elf (PID: 5435)Queries kernel information via 'uname': Jump to behavior
Source: ppc.elf, 5435.1.000055e59339b000.000055e59344b000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc1
Source: ppc.elf, 5435.1.00007ffea15a0000.00007ffea15c1000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-ppc/tmp/ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ppc.elf
Source: ppc.elf, 5435.1.000055e59339b000.000055e59344b000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
Source: ppc.elf, 5435.1.00007ffea15a0000.00007ffea15c1000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
File Deletion		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646213 Sample: ppc.elf Startdate: 23/03/2025 Architecture: LINUX Score: 68 18 198.98.51.68, 23451, 38802 PONYNETUS United States 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Connects to many ports of the same IP (likely port scanning) 2->24 26 Sample is packed with UPX 2->26 9 ppc.elf 2->9         started        signatures3 process4 signatures5 28 Sample deletes itself 9->28 12 ppc.elf 9->12         started        process6 process7 14 ppc.elf 12->14         started        process8 16 ppc.elf 14->16         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ppc.elf39%VirustotalBrowse
ppc.elf50%ReversingLabsLinux.Trojan.Multiverze
ppc.elf100%AviraEXP/ELF.Agent.F.118

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netppc.elffalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    198.98.51.68
    		unknownUnited States
    		53667PONYNETUStrue

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    198.98.51.68arm.elfGet hashmaliciousMiraiBrowse
      x86.elfGet hashmaliciousMiraiBrowse
        mpsl.elfGet hashmaliciousMiraiBrowse
          mips.elfGet hashmaliciousMiraiBrowse
            i486.elfGet hashmaliciousUnknownBrowse
              arm7.elfGet hashmaliciousMiraiBrowse
                x86_64.elfGet hashmaliciousMiraiBrowse

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  PONYNETUSarm.elfGet hashmaliciousMiraiBrowse
                  • 198.98.51.68
                  x86.elfGet hashmaliciousMiraiBrowse
                  • 198.98.51.68
                  mpsl.elfGet hashmaliciousMiraiBrowse
                  • 198.98.51.68
                  mips.elfGet hashmaliciousMiraiBrowse
                  • 198.98.51.68
                  i486.elfGet hashmaliciousUnknownBrowse
                  • 198.98.51.68
                  arm7.elfGet hashmaliciousMiraiBrowse
                  • 198.98.51.68
                  x86_64.elfGet hashmaliciousMiraiBrowse
                  • 198.98.51.68
                  boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                  • 209.141.40.172
                  boatnet.m68k.elfGet hashmaliciousMiraiBrowse
                  • 209.141.40.172
                  boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                  • 209.141.40.172

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
                  Entropy (8bit):7.931106726682551
                  TrID:
                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                  File name:ppc.elf
                  File size:27'344 bytes
                  MD5:d9ea67c781436e1622cea76086ec1bc9
                  SHA1:2c82d0c28ce7757c13a292af632e5a2c108c2257
                  SHA256:cdcc19eec2ff0e5d6adc583fbad096b2ad524e96a4fd2fa713c57ec76335e38e
                  SHA512:ce3153f6ce33e4d7da9d303ef3d39d2c0a51048744e1c92c248e51f73e1f7740cde0d91ecd5c255aa535c731326f975c7d563024753e5efbe5f54abf87b169ed
                  SSDEEP:768:xuN/6uz/egpiH6jEFfnUXMCKWWpv84qzX84uVcqgw09w:xuNS4pidoMBWpX84u+qgw09w
                  TLSH:27C2E061E252ACD2FF6EDEB05C565FD42BB00F9FE3C9158210EDE3501B4685D2926DC8
                  File Content Preview:.ELF......................W....4.........4. ...(......................i...i................`...`...`................dt.Q................................UPX!.......................R.......?.E.h4...@b.............J\x...C.lVC.oE....z...4{..+dlX.-2)..P1-]8..)

                  Static ELF Info

                  ELF header

                  Class:ELF32
                  Data:2's complement, big endian
                  Version:1 (current)
                  Machine:PowerPC
                  Version Number:0x1
                  Type:EXEC (Executable file)
                  OS/ABI:UNIX - Linux
                  ABI Version:0
                  Entry Point Address:0x1057e0
                  Flags:0x0
                  ELF Header Size:52
                  Program Header Offset:52
                  Program Header Size:32
                  Number of Program Headers:3
                  Section Header Offset:0
                  Section Header Size:40
                  Number of Section Headers:0
                  Header String Table Index:0

                  Program Segments

                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x1000000x1000000x69c80x69c87.93440x5R E0x10000
                  LOAD0xa600x10020a600x10020a600x00x00.00000x6RW 0x10000
                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                  Network Behavior

                  Download Network PCAP: filteredfull

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 23, 2025 17:07:59.207688093 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:07:59.297780037 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:07:59.297847033 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:07:59.327023029 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:07:59.417236090 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:07:59.417294025 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:07:59.506864071 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:08:09.333129883 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:08:09.422987938 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:08:09.423047066 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:08:09.423172951 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:08:24.528589964 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:08:24.528660059 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:08:39.620872974 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:08:39.621064901 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:08:54.710650921 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:08:54.710720062 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:09:09.457921028 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:09:09.551302910 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:09:09.551455021 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:09:24.660181046 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:09:24.660331964 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:09:39.750096083 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:09:39.750170946 CET3880223451192.168.2.13198.98.51.68
                  Mar 23, 2025 17:09:54.839317083 CET2345138802198.98.51.68192.168.2.13
                  Mar 23, 2025 17:09:54.839580059 CET3880223451192.168.2.13198.98.51.68

                  System Behavior

                  General

                  Start time (UTC):16:07:58
                  Start date (UTC):23/03/2025
                  Path:/tmp/ppc.elf
                  Arguments:/tmp/ppc.elf
                  File size:5388968 bytes
                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                  File Activities

                  Process Activities

                  System Activities

                  Network Activities


                  General

                  Start time (UTC):16:07:58
                  Start date (UTC):23/03/2025
                  Path:/tmp/ppc.elf
                  Arguments:-
                  File size:5388968 bytes
                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                  Process Activities

                  Network Activities


                  General

                  Start time (UTC):16:07:58
                  Start date (UTC):23/03/2025
                  Path:/tmp/ppc.elf
                  Arguments:-
                  File size:5388968 bytes
                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                  File Activities

                  Process Activities


                  General

                  Start time (UTC):16:07:58
                  Start date (UTC):23/03/2025
                  Path:/tmp/ppc.elf
                  Arguments:-
                  File size:5388968 bytes
                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                  File Activities

                  Process Activities