Edit tour

Linux Analysis Report
ixXoLDt5pH.elf

Overview

General Information

Sample name:ixXoLDt5pH.elf
renamed because original name is a hash value
Original sample name:61313b582ba8fa8ba6a819fd4a960d51e7c92324efe8c0f5294c651f26223753.elf
Analysis ID:1646374
MD5:77f516739374e597454f6a9a7f99df38
SHA1:0fea9b6983f36b44ede53e9842d1948d0fc91c19
SHA256:61313b582ba8fa8ba6a819fd4a960d51e7c92324efe8c0f5294c651f26223753
Tags:elfuser-mentality
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646374
Start date and time:2025-03-23 23:29:55 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:ixXoLDt5pH.elf
renamed because original name is a hash value
Original Sample Name:61313b582ba8fa8ba6a819fd4a960d51e7c92324efe8c0f5294c651f26223753.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0
  • No process behavior to analyse as no analysis process or sample was found
Command:/tmp/ixXoLDt5pH.elf
PID:6237
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ixXoLDt5pH.elfVirustotal: Detection: 48%Perma Link
Source: ixXoLDt5pH.elfReversingLabs: Detection: 52%
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: classification engineClassification label: mal48.linELF@0/0@0/0
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646374 Sample: ixXoLDt5pH.elf Startdate: 23/03/2025 Architecture: LINUX Score: 48 6 109.202.202.202, 80 INIT7CH Switzerland 2->6 8 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->8 10 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->10 12 Multi AV Scanner detection for submitted file 2->12 signatures3
SourceDetectionScannerLabelLink
ixXoLDt5pH.elf48%VirustotalBrowse
ixXoLDt5pH.elf53%ReversingLabsLinux.Trojan.Multiverze
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43na.elfGet hashmaliciousPrometeiBrowse
    powerpc.elfGet hashmaliciousMiraiBrowse
      m68k.elfGet hashmaliciousMiraiBrowse
        x86_64.elfGet hashmaliciousMiraiBrowse
          mips.elfGet hashmaliciousMiraiBrowse
            mipsel.elfGet hashmaliciousMiraiBrowse
              bot.elfGet hashmaliciousUnknownBrowse
                parm5.elfGet hashmaliciousUnknownBrowse
                  pmips.elfGet hashmaliciousMiraiBrowse
                    gigab.sh4.elfGet hashmaliciousUnknownBrowse
                      91.189.91.42na.elfGet hashmaliciousPrometeiBrowse
                        powerpc.elfGet hashmaliciousMiraiBrowse
                          m68k.elfGet hashmaliciousMiraiBrowse
                            x86_64.elfGet hashmaliciousMiraiBrowse
                              mips.elfGet hashmaliciousMiraiBrowse
                                mipsel.elfGet hashmaliciousMiraiBrowse
                                  bot.elfGet hashmaliciousUnknownBrowse
                                    parm5.elfGet hashmaliciousUnknownBrowse
                                      pmips.elfGet hashmaliciousMiraiBrowse
                                        gigab.sh4.elfGet hashmaliciousUnknownBrowse
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          powerpc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          x86_64.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mipsel.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          owari.arm6.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          bot.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          parm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          pmips.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          powerpc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          x86_64.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mipsel.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          owari.arm6.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          bot.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          parm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          pmips.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          INIT7CHna.elfGet hashmaliciousPrometeiBrowse
                                          • 109.202.202.202
                                          powerpc.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          m68k.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          x86_64.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          mips.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          mipsel.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          bot.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          parm5.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          pmips.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          gigab.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          No context
                                          No context
                                          No created / dropped files found
                                          File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 30304408
                                          Entropy (8bit):6.166632140105277
                                          TrID:
                                          • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                          • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                          File name:ixXoLDt5pH.elf
                                          File size:655'360 bytes
                                          MD5:77f516739374e597454f6a9a7f99df38
                                          SHA1:0fea9b6983f36b44ede53e9842d1948d0fc91c19
                                          SHA256:61313b582ba8fa8ba6a819fd4a960d51e7c92324efe8c0f5294c651f26223753
                                          SHA512:3b45bbef6a1fa538e2bf2a2d23198b90e67e6a2687117df48737011ef20dc8f195bd0b033bfc05261effea7bac20c529ecd1e657fadab01583352becd810e9b3
                                          SSDEEP:12288:ciZLBtBn77RD3w2AJK7g9rb/TBvO90dL3BmAFd4A64nsfJEc:ci3nHRD3wC7g9rb/TBvO90dL3BmAFd4f
                                          TLSH:10D4F757A89550F4C1FEE134C66AA213BDA13499073827D72FA147F10B26FF86A7C368
                                          File Content Preview:.ELF..............>.....p4@.....@........`..........@.8...@.#.".........@.......@.@.....@.@...............................................@.......@...............................................@.......@......%.......%.......................0.......0@....

                                          Download Network PCAP: filteredfull

                                          • Total Packets: 6
                                          • 443 (HTTPS)
                                          • 80 (HTTP)
                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 23, 2025 23:30:49.536012888 CET42836443192.168.2.2391.189.91.43
                                          Mar 23, 2025 23:30:50.303929090 CET4251680192.168.2.23109.202.202.202
                                          Mar 23, 2025 23:31:03.870476007 CET43928443192.168.2.2391.189.91.42
                                          Mar 23, 2025 23:31:16.156532049 CET42836443192.168.2.2391.189.91.43
                                          Mar 23, 2025 23:31:20.251676083 CET4251680192.168.2.23109.202.202.202
                                          Mar 23, 2025 23:31:44.824367046 CET43928443192.168.2.2391.189.91.42

                                          System Behavior