Edit tour

Linux Analysis Report
gigab.mips.elf

Overview

General Information

Sample name:gigab.mips.elf
Analysis ID:1646417
MD5:fee9fdad6831e1fe38d83067285735ab
SHA1:806a59cc9a1196d08711f26094355ca31bf497b5
SHA256:75fdd7b4e2523c5e9015651ee33ff7695ebc1a543af667502981ac8141a33ce0
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Detected TCP or UDP traffic on non-standard ports
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646417
Start date and time:2025-03-24 01:42:43 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 11s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gigab.mips.elf
Detection:MAL
Classification:mal52.spre.linELF@0/1@2/0
Command:/tmp/gigab.mips.elf
PID:5428
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: gigab.mips.elfReversingLabs: Detection: 41%

Spreading

barindex
Source: /tmp/gigab.mips.elf (PID: 5428)Opens: /proc/net/routeJump to behavior
Source: global trafficTCP traffic: 192.168.2.13:38002 -> 37.44.238.66:666
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal52.spre.linELF@0/1@2/0
Source: /tmp/gigab.mips.elf (PID: 5428)Queries kernel information via 'uname': Jump to behavior
Source: gigab.mips.elf, 5428.1.0000555b7c827000.0000555b7c8ae000.rw-.sdmp, gigab.mips.elf, 5430.1.0000555b7c827000.0000555b7c8ae000.rw-.sdmpBinary or memory string: |[U!/etc/qemu-binfmt/mips
Source: gigab.mips.elf, 5428.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmpBinary or memory string: /tmp/qemu-open.0h803C
Source: gigab.mips.elf, 5428.1.0000555b7c827000.0000555b7c8ae000.rw-.sdmp, gigab.mips.elf, 5430.1.0000555b7c827000.0000555b7c8ae000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: gigab.mips.elf, 5428.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmpBinary or memory string: y[U/tmp/qemu-open.0h803C\d
Source: gigab.mips.elf, 5428.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmp, gigab.mips.elf, 5430.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmpBinary or memory string: jx86_64/usr/bin/qemu-mips/tmp/gigab.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gigab.mips.elf
Source: gigab.mips.elf, 5428.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmp, gigab.mips.elf, 5430.1.00007ffc01bec000.00007ffc01c0d000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Remote System Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646417 Sample: gigab.mips.elf Startdate: 24/03/2025 Architecture: LINUX Score: 52 15 37.44.238.66, 38002, 666 HARMONYHOSTING-ASFR France 2->15 17 daisy.ubuntu.com 2->17 19 Multi AV Scanner detection for submitted file 2->19 8 gigab.mips.elf 2->8         started        signatures3 process4 signatures5 21 Opens /proc/net/* files useful for finding connected devices and routers 8->21 11 gigab.mips.elf 8->11         started        process6 process7 13 gigab.mips.elf 11->13         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
gigab.mips.elf42%ReversingLabsLinux.Backdoor.Bashlite
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    37.44.238.66
    unknownFrance
    49434HARMONYHOSTING-ASFRfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    37.44.238.66gigab.m68.elfGet hashmaliciousUnknownBrowse
      gigab.ppc.elfGet hashmaliciousUnknownBrowse
        gigab.arm6.elfGet hashmaliciousUnknownBrowse
          gigab.arm5.elfGet hashmaliciousUnknownBrowse
            gigab.arm4.elfGet hashmaliciousUnknownBrowse
              gigab.sh4.elfGet hashmaliciousUnknownBrowse
                gigab.m68.elfGet hashmaliciousUnknownBrowse
                  gigab.arm5.elfGet hashmaliciousUnknownBrowse
                    gigab.mips.elfGet hashmaliciousUnknownBrowse
                      gigab.mips.elfGet hashmaliciousGafgytBrowse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comgigab.arm6.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        sh4.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        mips.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        i686.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        spc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        owari.i686.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        owari.m68k.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        owari.ppc.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        owari.sh4.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        owari.i486.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HARMONYHOSTING-ASFRgigab.m68.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.ppc.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm6.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm5.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm4.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.sh4.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.m68.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        spim.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.92
                        686i.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.88
                        gigab.arm5.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        No context
                        No context
                        Process:/tmp/gigab.mips.elf
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):230
                        Entropy (8bit):3.709552666863289
                        Encrypted:false
                        SSDEEP:6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
                        MD5:2E667F43AE18CD1FE3C108641708A82C
                        SHA1:12B90DE2DA0FBCFE66F3D6130905E56C8D6A68D3
                        SHA-256:6F721492E7A337C5B498A8F55F5EB7AC745AFF716D0B5B08EFF2C1B6B250F983
                        SHA-512:D2A0EE2509154EC1098994F38BE172F98F4150399C534A04D5C675D7C05630802225019F19344CC9070C576BC465A4FEB382AC7712DE6BF25E9244B54A9DB830
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:Iface.Destination.Gateway .Flags.RefCnt.Use.Metric.Mask..MTU.Window.IRTT .ens160.00000000.c0a80201.0003.0.0.0.00000000.0.0.0.ens160.c0a80200.00000000.0001.0.0.0.ffffff00.0.0.0.
                        File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
                        Entropy (8bit):5.0510860111137
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:gigab.mips.elf
                        File size:134'399 bytes
                        MD5:fee9fdad6831e1fe38d83067285735ab
                        SHA1:806a59cc9a1196d08711f26094355ca31bf497b5
                        SHA256:75fdd7b4e2523c5e9015651ee33ff7695ebc1a543af667502981ac8141a33ce0
                        SHA512:8e825d4e38354bd6e690ea35cf756a259c574d633f09a2df2c5f8397cd78bb5255facf430acbcdc2af8a01c5db2c7422a3dbc31e5cac8a409d0e55ec63cbfea5
                        SSDEEP:1536:iHf2lkXEauT9H4SC3DlSjn13G22rK8cecu6I/OayL+CYm4nUeSnDsk5R4/TiP/zY:1ELl21EZ0CUjDskiTiPBprLqCG
                        TLSH:2AD3933E7A12ABBEE16DC23107F35F7097A525E227A18341E16CD7186E3128D5C8F7A4
                        File Content Preview:.ELF.....................@.....4.........4. ...(....p........@...@...........................@...@.....0...0.................B...B........z(...............D.B.D.B.D................dt.Q.................................................C#P<...'."d...!'......

                        Download Network PCAP: filteredfull

                        • Total Packets: 13
                        • 666 undefined
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 24, 2025 01:43:33.198707104 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:43:33.405808926 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:43:33.405905008 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:43:33.407691956 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:43:33.614948034 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:43:57.619427919 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:43:57.619703054 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:43:57.826585054 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:43:57.826812029 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:44:57.634418964 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:44:57.634922028 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:44:57.842338085 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:44:57.842576981 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:45:57.652951956 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:45:57.653712034 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:45:57.860598087 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:45:57.860754013 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:46:57.668534994 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:46:57.669039011 CET38002666192.168.2.1337.44.238.66
                        Mar 24, 2025 01:46:57.875792027 CET6663800237.44.238.66192.168.2.13
                        Mar 24, 2025 01:46:57.876149893 CET38002666192.168.2.1337.44.238.66
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 24, 2025 01:46:17.984381914 CET3399353192.168.2.138.8.8.8
                        Mar 24, 2025 01:46:17.984381914 CET5576953192.168.2.138.8.8.8
                        Mar 24, 2025 01:46:18.074466944 CET53339938.8.8.8192.168.2.13
                        Mar 24, 2025 01:46:18.074525118 CET53557698.8.8.8192.168.2.13
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 24, 2025 01:46:17.984381914 CET192.168.2.138.8.8.80xde3aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 24, 2025 01:46:17.984381914 CET192.168.2.138.8.8.80x5604Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 24, 2025 01:46:18.074466944 CET8.8.8.8192.168.2.130xde3aNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Mar 24, 2025 01:46:18.074466944 CET8.8.8.8192.168.2.130xde3aNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        Start time (UTC):00:43:32
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.mips.elf
                        Arguments:/tmp/gigab.mips.elf
                        File size:5777432 bytes
                        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                        Start time (UTC):00:43:32
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.mips.elf
                        Arguments:-
                        File size:5777432 bytes
                        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                        Start time (UTC):00:43:32
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.mips.elf
                        Arguments:-
                        File size:5777432 bytes
                        MD5 hash:0083f1f0e77be34ad27f849842bbb00c