Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
ixXoLDt5pH.elf

Overview

General Information

Sample name:ixXoLDt5pH.elf
renamed because original name is a hash value
Original sample name:61313b582ba8fa8ba6a819fd4a960d51e7c92324efe8c0f5294c651f26223753.elf
Analysis ID:1646374
MD5:77f516739374e597454f6a9a7f99df38
SHA1:0fea9b6983f36b44ede53e9842d1948d0fc91c19
SHA256:61313b582ba8fa8ba6a819fd4a960d51e7c92324efe8c0f5294c651f26223753
Tags:elfuser-mentality
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646374
Start date and time:2025-03-23 23:29:55 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:ixXoLDt5pH.elf
renamed because original name is a hash value
Original Sample Name:61313b582ba8fa8ba6a819fd4a960d51e7c92324efe8c0f5294c651f26223753.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0
  • No process behavior to analyse as no analysis process or sample was found

Runtime Messages

Command:/tmp/ixXoLDt5pH.elf
PID:6237
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ixXoLDt5pH.elfVirustotal: Detection: 48%Perma Link
Source: ixXoLDt5pH.elfReversingLabs: Detection: 52%
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: classification engineClassification label: mal48.linELF@0/0@0/0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646374 Sample: ixXoLDt5pH.elf Startdate: 23/03/2025 Architecture: LINUX Score: 48 6 109.202.202.202, 80 INIT7CH Switzerland 2->6 8 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->8 10 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->10 12 Multi AV Scanner detection for submitted file 2->12 signatures3

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ixXoLDt5pH.elf48%VirustotalBrowse
ixXoLDt5pH.elf53%ReversingLabsLinux.Trojan.Multiverze

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43na.elfGet hashmaliciousPrometeiBrowse
    powerpc.elfGet hashmaliciousMiraiBrowse
      m68k.elfGet hashmaliciousMiraiBrowse
        x86_64.elfGet hashmaliciousMiraiBrowse
          mips.elfGet hashmaliciousMiraiBrowse
            mipsel.elfGet hashmaliciousMiraiBrowse
              bot.elfGet hashmaliciousUnknownBrowse
                parm5.elfGet hashmaliciousUnknownBrowse
                  pmips.elfGet hashmaliciousMiraiBrowse
                    gigab.sh4.elfGet hashmaliciousUnknownBrowse
                      91.189.91.42na.elfGet hashmaliciousPrometeiBrowse
                        powerpc.elfGet hashmaliciousMiraiBrowse
                          m68k.elfGet hashmaliciousMiraiBrowse
                            x86_64.elfGet hashmaliciousMiraiBrowse
                              mips.elfGet hashmaliciousMiraiBrowse
                                mipsel.elfGet hashmaliciousMiraiBrowse
                                  bot.elfGet hashmaliciousUnknownBrowse
                                    parm5.elfGet hashmaliciousUnknownBrowse
                                      pmips.elfGet hashmaliciousMiraiBrowse
                                        gigab.sh4.elfGet hashmaliciousUnknownBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          powerpc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          x86_64.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mipsel.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          owari.arm6.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          bot.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          parm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          pmips.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                          • 91.189.91.42
                                          powerpc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          x86_64.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mips.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          mipsel.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          owari.arm6.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          bot.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          parm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          pmips.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          INIT7CHna.elfGet hashmaliciousPrometeiBrowse
                                          • 109.202.202.202
                                          powerpc.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          m68k.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          x86_64.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          mips.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          mipsel.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          bot.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          parm5.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          pmips.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          gigab.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 30304408
                                          Entropy (8bit):6.166632140105277
                                          TrID:
                                          • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                          • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                          File name:ixXoLDt5pH.elf
                                          File size:655'360 bytes
                                          MD5:77f516739374e597454f6a9a7f99df38
                                          SHA1:0fea9b6983f36b44ede53e9842d1948d0fc91c19
                                          SHA256:61313b582ba8fa8ba6a819fd4a960d51e7c92324efe8c0f5294c651f26223753
                                          SHA512:3b45bbef6a1fa538e2bf2a2d23198b90e67e6a2687117df48737011ef20dc8f195bd0b033bfc05261effea7bac20c529ecd1e657fadab01583352becd810e9b3
                                          SSDEEP:12288:ciZLBtBn77RD3w2AJK7g9rb/TBvO90dL3BmAFd4A64nsfJEc:ci3nHRD3wC7g9rb/TBvO90dL3BmAFd4f
                                          TLSH:10D4F757A89550F4C1FEE134C66AA213BDA13499073827D72FA147F10B26FF86A7C368
                                          File Content Preview:.ELF..............>.....p4@.....@........`..........@.8...@.#.".........@.......@.@.....@.@...............................................@.......@...............................................@.......@......%.......%.......................0.......0@....

                                          Network Behavior

                                          Download Network PCAP: filteredfull

                                          Network Port Distribution

                                          • Total Packets: 6
                                          • 443 (HTTPS)
                                          • 80 (HTTP)
                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 23, 2025 23:30:49.536012888 CET42836443192.168.2.2391.189.91.43
                                          Mar 23, 2025 23:30:50.303929090 CET4251680192.168.2.23109.202.202.202
                                          Mar 23, 2025 23:31:03.870476007 CET43928443192.168.2.2391.189.91.42
                                          Mar 23, 2025 23:31:16.156532049 CET42836443192.168.2.2391.189.91.43
                                          Mar 23, 2025 23:31:20.251676083 CET4251680192.168.2.23109.202.202.202
                                          Mar 23, 2025 23:31:44.824367046 CET43928443192.168.2.2391.189.91.42

                                          System Behavior