Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
gigab.arm4.elf

Overview

General Information

Sample name:gigab.arm4.elf
Analysis ID:1646473
MD5:993f495e4ab55a02482868ee16eeca65
SHA1:d81d434a177efafd94e2249e105919111d0bfd92
SHA256:d45704703c155f503ba8f34d39cfdc7e329a2b534afd9982678b8755fb89f0ba
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Opens /proc/net/* files useful for finding connected devices and routers
Detected TCP or UDP traffic on non-standard ports
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646473
Start date and time:2025-03-24 03:02:56 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gigab.arm4.elf
Detection:MAL
Classification:mal52.spre.linELF@0/0@2/0

Runtime Messages

Command:/tmp/gigab.arm4.elf
PID:5481
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Spreading
  • Networking
  • System Summary
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: gigab.arm4.elfAvira: detected

Spreading

barindex
Source: /tmp/gigab.arm4.elf (PID: 5481)Opens: /proc/net/routeJump to behavior
Source: global trafficTCP traffic: 192.168.2.14:49000 -> 37.44.238.66:666
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal52.spre.linELF@0/0@2/0
Source: /tmp/gigab.arm4.elf (PID: 5481)Queries kernel information via 'uname': Jump to behavior
Source: gigab.arm4.elf, 5481.1.00005630ad30a000.00005630ad438000.rw-.sdmp, gigab.arm4.elf, 5483.1.00005630ad30a000.00005630ad438000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: gigab.arm4.elf, 5481.1.00005630ad30a000.00005630ad438000.rw-.sdmp, gigab.arm4.elf, 5483.1.00005630ad30a000.00005630ad438000.rw-.sdmpBinary or memory string: 0V!/etc/qemu-binfmt/arm
Source: gigab.arm4.elf, 5481.1.00007fffc559a000.00007fffc55bb000.rw-.sdmp, gigab.arm4.elf, 5483.1.00007fffc559a000.00007fffc55bb000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: gigab.arm4.elf, 5481.1.00007fffc559a000.00007fffc55bb000.rw-.sdmp, gigab.arm4.elf, 5483.1.00007fffc559a000.00007fffc55bb000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/gigab.arm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gigab.arm4.elf

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Remote System Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646473 Sample: gigab.arm4.elf Startdate: 24/03/2025 Architecture: LINUX Score: 52 15 37.44.238.66, 49000, 666 HARMONYHOSTING-ASFR France 2->15 17 daisy.ubuntu.com 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 8 gigab.arm4.elf 2->8         started        signatures3 process4 signatures5 21 Opens /proc/net/* files useful for finding connected devices and routers 8->21 11 gigab.arm4.elf 8->11         started        process6 process7 13 gigab.arm4.elf 11->13         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
gigab.arm4.elf100%AviraLINUX/Gafgyt.opnd

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    37.44.238.66
    		unknownFrance
    		49434HARMONYHOSTING-ASFRfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    37.44.238.66gigab.mips.elfGet hashmaliciousUnknownBrowse
      gigab.m68.elfGet hashmaliciousUnknownBrowse
        gigab.ppc.elfGet hashmaliciousUnknownBrowse
          gigab.arm6.elfGet hashmaliciousUnknownBrowse
            gigab.arm5.elfGet hashmaliciousUnknownBrowse
              gigab.arm4.elfGet hashmaliciousUnknownBrowse
                gigab.sh4.elfGet hashmaliciousUnknownBrowse
                  gigab.m68.elfGet hashmaliciousUnknownBrowse
                    gigab.arm5.elfGet hashmaliciousUnknownBrowse
                      gigab.mips.elfGet hashmaliciousUnknownBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comresgod.mips.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arm7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        gigab.i686.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        resgod.spc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arm6.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        gigab.mips.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        gigab.arm6.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        sh4.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        mips.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HARMONYHOSTING-ASFRgigab.mips.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.m68.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.ppc.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm6.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm5.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm4.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.sh4.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.m68.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        spim.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.92
                        686i.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.88

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, missing section headers at 84580
                        Entropy (8bit):6.067379542335245
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:gigab.arm4.elf
                        File size:79'375 bytes
                        MD5:993f495e4ab55a02482868ee16eeca65
                        SHA1:d81d434a177efafd94e2249e105919111d0bfd92
                        SHA256:d45704703c155f503ba8f34d39cfdc7e329a2b534afd9982678b8755fb89f0ba
                        SHA512:e90268d9ab19e8c54e8043845cf463cc4e18c8ba603abd85d0c9b2dad9c2a0b1f302924e74fb98a1ced851e3ebb96bb0a4a7254f7509aa1c28f7497ef15786de
                        SSDEEP:1536:IgNsdgzRwE0xSvJqg+2qNEvJZrnzFN4tXDKvAZkPYBCL60mT/2xv3T7z:kgzhKSvv3suFN0TKvAZqYuvmTuR3T7z
                        TLSH:57732A45F991971BC3D372BBFB9D428D362A5FA993E6301549309FA033C6BD12A3A131
                        File Content Preview:.ELF...a..........(.........4....G......4. ...(......................$...$...............$...$...$.......i..........Q.td..................................-...L."....B..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                        Network Behavior

                        Download Network PCAP: filteredfull

                        Network Port Distribution

                        • Total Packets: 13
                        • 666 undefined
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 24, 2025 03:03:45.530590057 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:03:45.736959934 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:03:45.737029076 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:03:45.738055944 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:03:45.942801952 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:03:58.904731035 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:03:58.905134916 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:03:59.110049963 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:03:59.110281944 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:04:58.918435097 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:04:58.918674946 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:04:59.124068022 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:04:59.124344110 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:05:58.931054115 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:05:58.931473017 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:05:59.138001919 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:05:59.138231039 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:06:58.950323105 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:06:58.950628996 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:06:59.155543089 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:06:59.155786991 CET49000666192.168.2.1437.44.238.66
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 24, 2025 03:06:30.732515097 CET3952953192.168.2.141.1.1.1
                        Mar 24, 2025 03:06:30.732593060 CET5178653192.168.2.141.1.1.1
                        Mar 24, 2025 03:06:30.830713034 CET53517861.1.1.1192.168.2.14
                        Mar 24, 2025 03:06:30.833172083 CET53395291.1.1.1192.168.2.14

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 24, 2025 03:06:30.732515097 CET192.168.2.141.1.1.10x8a1fStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 24, 2025 03:06:30.732593060 CET192.168.2.141.1.1.10x512cStandard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 24, 2025 03:06:30.833172083 CET1.1.1.1192.168.2.140x8a1fNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Mar 24, 2025 03:06:30.833172083 CET1.1.1.1192.168.2.140x8a1fNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):02:03:44
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.arm4.elf
                        Arguments:/tmp/gigab.arm4.elf
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        File Activities

                        Process Activities

                        System Activities

                        Network Activities


                        General

                        Start time (UTC):02:03:44
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.arm4.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Process Activities


                        General

                        Start time (UTC):02:03:44
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.arm4.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Process Activities

                        Network Activities