Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
gigab.mips.elf

Overview

General Information

Sample name:gigab.mips.elf
Analysis ID:1646417
MD5:fee9fdad6831e1fe38d83067285735ab
SHA1:806a59cc9a1196d08711f26094355ca31bf497b5
SHA256:75fdd7b4e2523c5e9015651ee33ff7695ebc1a543af667502981ac8141a33ce0
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Detected TCP or UDP traffic on non-standard ports
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646417
Start date and time:2025-03-24 01:42:43 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 11s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gigab.mips.elf
Detection:MAL
Classification:mal52.spre.linELF@0/1@2/0

Runtime Messages

Command:/tmp/gigab.mips.elf
PID:5428
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Spreading
  • Networking
  • System Summary
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: gigab.mips.elfReversingLabs: Detection: 41%

Spreading

barindex
Source: /tmp/gigab.mips.elf (PID: 5428)Opens: /proc/net/routeJump to behavior
Source: global trafficTCP traffic: 192.168.2.13:38002 -> 37.44.238.66:666
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal52.spre.linELF@0/1@2/0
Source: /tmp/gigab.mips.elf (PID: 5428)Queries kernel information via 'uname': Jump to behavior
Source: gigab.mips.elf, 5428.1.0000555b7c827000.0000555b7c8ae000.rw-.sdmp, gigab.mips.elf, 5430.1.0000555b7c827000.0000555b7c8ae000.rw-.sdmpBinary or memory string: |[U!/etc/qemu-binfmt/mips
Source: gigab.mips.elf, 5428.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmpBinary or memory string: /tmp/qemu-open.0h803C
Source: gigab.mips.elf, 5428.1.0000555b7c827000.0000555b7c8ae000.rw-.sdmp, gigab.mips.elf, 5430.1.0000555b7c827000.0000555b7c8ae000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: gigab.mips.elf, 5428.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmpBinary or memory string: y[U/tmp/qemu-open.0h803C\d
Source: gigab.mips.elf, 5428.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmp, gigab.mips.elf, 5430.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmpBinary or memory string: jx86_64/usr/bin/qemu-mips/tmp/gigab.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gigab.mips.elf
Source: gigab.mips.elf, 5428.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmp, gigab.mips.elf, 5430.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Remote System Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646417 Sample: gigab.mips.elf Startdate: 24/03/2025 Architecture: LINUX Score: 52 15 37.44.238.66, 38002, 666 HARMONYHOSTING-ASFR France 2->15 17 daisy.ubuntu.com 2->17 19 Multi AV Scanner detection for submitted file 2->19 8 gigab.mips.elf 2->8         started        signatures3 process4 signatures5 21 Opens /proc/net/* files useful for finding connected devices and routers 8->21 11 gigab.mips.elf 8->11         started        process6 process7 13 gigab.mips.elf 11->13         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
gigab.mips.elf42%ReversingLabsLinux.Backdoor.Bashlite

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    37.44.238.66
    		unknownFrance
    		49434HARMONYHOSTING-ASFRfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    37.44.238.66gigab.m68.elfGet hashmaliciousUnknownBrowse
      gigab.ppc.elfGet hashmaliciousUnknownBrowse
        gigab.arm6.elfGet hashmaliciousUnknownBrowse
          gigab.arm5.elfGet hashmaliciousUnknownBrowse
            gigab.arm4.elfGet hashmaliciousUnknownBrowse
              gigab.sh4.elfGet hashmaliciousUnknownBrowse
                gigab.m68.elfGet hashmaliciousUnknownBrowse
                  gigab.arm5.elfGet hashmaliciousUnknownBrowse
                    gigab.mips.elfGet hashmaliciousUnknownBrowse
                      gigab.mips.elfGet hashmaliciousGafgytBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comgigab.arm6.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        sh4.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        mips.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        i686.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        spc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        owari.i686.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        owari.m68k.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        owari.ppc.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        owari.sh4.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        owari.i486.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HARMONYHOSTING-ASFRgigab.m68.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.ppc.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm6.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm5.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm4.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.sh4.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.m68.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        spim.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.92
                        686i.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.88
                        gigab.arm5.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        Process:/tmp/gigab.mips.elf
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):230
                        Entropy (8bit):3.709552666863289
                        Encrypted:false
                        SSDEEP:6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
                        MD5:2E667F43AE18CD1FE3C108641708A82C
                        SHA1:12B90DE2DA0FBCFE66F3D6130905E56C8D6A68D3
                        SHA-256:6F721492E7A337C5B498A8F55F5EB7AC745AFF716D0B5B08EFF2C1B6B250F983
                        SHA-512:D2A0EE2509154EC1098994F38BE172F98F4150399C534A04D5C675D7C05630802225019F19344CC9070C576BC465A4FEB382AC7712DE6BF25E9244B54A9DB830
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:Iface.Destination.Gateway .Flags.RefCnt.Use.Metric.Mask..MTU.Window.IRTT .ens160.00000000.c0a80201.0003.0.0.0.00000000.0.0.0.ens160.c0a80200.00000000.0001.0.0.0.ffffff00.0.0.0.

                        Static File Info

                        General

                        File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
                        Entropy (8bit):5.0510860111137
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:gigab.mips.elf
                        File size:134'399 bytes
                        MD5:fee9fdad6831e1fe38d83067285735ab
                        SHA1:806a59cc9a1196d08711f26094355ca31bf497b5
                        SHA256:75fdd7b4e2523c5e9015651ee33ff7695ebc1a543af667502981ac8141a33ce0
                        SHA512:8e825d4e38354bd6e690ea35cf756a259c574d633f09a2df2c5f8397cd78bb5255facf430acbcdc2af8a01c5db2c7422a3dbc31e5cac8a409d0e55ec63cbfea5
                        SSDEEP:1536:iHf2lkXEauT9H4SC3DlSjn13G22rK8cecu6I/OayL+CYm4nUeSnDsk5R4/TiP/zY:1ELl21EZ0CUjDskiTiPBprLqCG
                        TLSH:2AD3933E7A12ABBEE16DC23107F35F7097A525E227A18341E16CD7186E3128D5C8F7A4
                        File Content Preview:.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@.....0...0.................B...B........z(...............D.B.D.B.D................dt.Q.................................................C#P<...'."d...!'......

                        Network Behavior

                        Download Network PCAP: filteredfull

                        Network Port Distribution

                        • Total Packets: 13
                        • 666 undefined
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 24, 2025 01:43:33.198707104 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:43:33.405808926 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:43:33.405905008 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:43:33.407691956 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:43:33.614948034 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:43:57.619427919 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:43:57.619703054 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:43:57.826585054 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:43:57.826812029 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:44:57.634418964 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:44:57.634922028 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:44:57.842338085 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:44:57.842576981 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:45:57.652951956 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:45:57.653712034 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:45:57.860598087 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:45:57.860754013 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:46:57.668534994 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:46:57.669039011 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:46:57.875792027 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:46:57.876149893 CET38002666192.168.2.1337.44.238.66
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 24, 2025 01:46:17.984381914 CET3399353192.168.2.138.8.8.8
                        Mar 24, 2025 01:46:17.984381914 CET5576953192.168.2.138.8.8.8
                        Mar 24, 2025 01:46:18.074466944 CET53339938.8.8.8192.168.2.13
                        Mar 24, 2025 01:46:18.074525118 CET53557698.8.8.8192.168.2.13

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 24, 2025 01:46:17.984381914 CET192.168.2.138.8.8.80xde3aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 24, 2025 01:46:17.984381914 CET192.168.2.138.8.8.80x5604Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 24, 2025 01:46:18.074466944 CET8.8.8.8192.168.2.130xde3aNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Mar 24, 2025 01:46:18.074466944 CET8.8.8.8192.168.2.130xde3aNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):00:43:32
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.mips.elf
                        Arguments:/tmp/gigab.mips.elf
                        File size:5777432 bytes
                        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                        File Activities

                        Process Activities

                        System Activities

                        Network Activities


                        General

                        Start time (UTC):00:43:32
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.mips.elf
                        Arguments:-
                        File size:5777432 bytes
                        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                        Process Activities


                        General

                        Start time (UTC):00:43:32
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.mips.elf
                        Arguments:-
                        File size:5777432 bytes
                        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                        Process Activities

                        Network Activities