Edit tour

Linux Analysis Report
gigab.arm4.elf

Overview

General Information

Sample name:gigab.arm4.elf
Analysis ID:1646473
MD5:993f495e4ab55a02482868ee16eeca65
SHA1:d81d434a177efafd94e2249e105919111d0bfd92
SHA256:d45704703c155f503ba8f34d39cfdc7e329a2b534afd9982678b8755fb89f0ba
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Opens /proc/net/* files useful for finding connected devices and routers
Detected TCP or UDP traffic on non-standard ports
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646473
Start date and time:2025-03-24 03:02:56 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:gigab.arm4.elf
Detection:MAL
Classification:mal52.spre.linELF@0/0@2/0
Command:/tmp/gigab.arm4.elf
PID:5481
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: gigab.arm4.elfAvira: detected

Spreading

barindex
Source: /tmp/gigab.arm4.elf (PID: 5481)Opens: /proc/net/routeJump to behavior
Source: global trafficTCP traffic: 192.168.2.14:49000 -> 37.44.238.66:666
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownTCP traffic detected without corresponding DNS query: 37.44.238.66
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal52.spre.linELF@0/0@2/0
Source: /tmp/gigab.arm4.elf (PID: 5481)Queries kernel information via 'uname': Jump to behavior
Source: gigab.arm4.elf, 5481.1.00005630ad30a000.00005630ad438000.rw-.sdmp, gigab.arm4.elf, 5483.1.00005630ad30a000.00005630ad438000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: gigab.arm4.elf, 5481.1.00005630ad30a000.00005630ad438000.rw-.sdmp, gigab.arm4.elf, 5483.1.00005630ad30a000.00005630ad438000.rw-.sdmpBinary or memory string: 0V!/etc/qemu-binfmt/arm
Source: gigab.arm4.elf, 5481.1.00007fffc559a000.00007fffc55bb000.rw-.sdmp, gigab.arm4.elf, 5483.1.00007fffc559a000.00007fffc55bb000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: gigab.arm4.elf, 5481.1.00007fffc559a000.00007fffc55bb000.rw-.sdmp, gigab.arm4.elf, 5483.1.00007fffc559a000.00007fffc55bb000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/gigab.arm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gigab.arm4.elf
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
Remote System Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646473 Sample: gigab.arm4.elf Startdate: 24/03/2025 Architecture: LINUX Score: 52 15 37.44.238.66, 49000, 666 HARMONYHOSTING-ASFR France 2->15 17 daisy.ubuntu.com 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 8 gigab.arm4.elf 2->8         started        signatures3 process4 signatures5 21 Opens /proc/net/* files useful for finding connected devices and routers 8->21 11 gigab.arm4.elf 8->11         started        process6 process7 13 gigab.arm4.elf 11->13         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
gigab.arm4.elf100%AviraLINUX/Gafgyt.opnd
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    37.44.238.66
    unknownFrance
    49434HARMONYHOSTING-ASFRfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    37.44.238.66gigab.mips.elfGet hashmaliciousUnknownBrowse
      gigab.m68.elfGet hashmaliciousUnknownBrowse
        gigab.ppc.elfGet hashmaliciousUnknownBrowse
          gigab.arm6.elfGet hashmaliciousUnknownBrowse
            gigab.arm5.elfGet hashmaliciousUnknownBrowse
              gigab.arm4.elfGet hashmaliciousUnknownBrowse
                gigab.sh4.elfGet hashmaliciousUnknownBrowse
                  gigab.m68.elfGet hashmaliciousUnknownBrowse
                    gigab.arm5.elfGet hashmaliciousUnknownBrowse
                      gigab.mips.elfGet hashmaliciousUnknownBrowse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comresgod.mips.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arm7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        gigab.i686.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        resgod.spc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        resgod.arm6.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        gigab.mips.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        gigab.arm6.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        sh4.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        mips.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        HARMONYHOSTING-ASFRgigab.mips.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.m68.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.ppc.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm6.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm5.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.arm4.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.sh4.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        gigab.m68.elfGet hashmaliciousUnknownBrowse
                        • 37.44.238.66
                        spim.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.92
                        686i.elfGet hashmaliciousMiraiBrowse
                        • 37.44.238.88
                        No context
                        No context
                        No created / dropped files found
                        File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, missing section headers at 84580
                        Entropy (8bit):6.067379542335245
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:gigab.arm4.elf
                        File size:79'375 bytes
                        MD5:993f495e4ab55a02482868ee16eeca65
                        SHA1:d81d434a177efafd94e2249e105919111d0bfd92
                        SHA256:d45704703c155f503ba8f34d39cfdc7e329a2b534afd9982678b8755fb89f0ba
                        SHA512:e90268d9ab19e8c54e8043845cf463cc4e18c8ba603abd85d0c9b2dad9c2a0b1f302924e74fb98a1ced851e3ebb96bb0a4a7254f7509aa1c28f7497ef15786de
                        SSDEEP:1536:IgNsdgzRwE0xSvJqg+2qNEvJZrnzFN4tXDKvAZkPYBCL60mT/2xv3T7z:kgzhKSvv3suFN0TKvAZqYuvmTuR3T7z
                        TLSH:57732A45F991971BC3D372BBFB9D428D362A5FA993E6301549309FA033C6BD12A3A131
                        File Content Preview:.ELF...a..........(.........4....G......4. ...(......................$...$...............$...$...$.......i..........Q.td..................................-...L."....B..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                        Download Network PCAP: filteredfull

                        • Total Packets: 13
                        • 666 undefined
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 24, 2025 03:03:45.530590057 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:03:45.736959934 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:03:45.737029076 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:03:45.738055944 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:03:45.942801952 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:03:58.904731035 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:03:58.905134916 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:03:59.110049963 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:03:59.110281944 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:04:58.918435097 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:04:58.918674946 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:04:59.124068022 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:04:59.124344110 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:05:58.931054115 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:05:58.931473017 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:05:59.138001919 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:05:59.138231039 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:06:58.950323105 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:06:58.950628996 CET49000666192.168.2.1437.44.238.66
                        Mar 24, 2025 03:06:59.155543089 CET6664900037.44.238.66192.168.2.14
                        Mar 24, 2025 03:06:59.155786991 CET49000666192.168.2.1437.44.238.66
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 24, 2025 03:06:30.732515097 CET3952953192.168.2.141.1.1.1
                        Mar 24, 2025 03:06:30.732593060 CET5178653192.168.2.141.1.1.1
                        Mar 24, 2025 03:06:30.830713034 CET53517861.1.1.1192.168.2.14
                        Mar 24, 2025 03:06:30.833172083 CET53395291.1.1.1192.168.2.14
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 24, 2025 03:06:30.732515097 CET192.168.2.141.1.1.10x8a1fStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 24, 2025 03:06:30.732593060 CET192.168.2.141.1.1.10x512cStandard query (0)daisy.ubuntu.com28IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 24, 2025 03:06:30.833172083 CET1.1.1.1192.168.2.140x8a1fNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Mar 24, 2025 03:06:30.833172083 CET1.1.1.1192.168.2.140x8a1fNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        Start time (UTC):02:03:44
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.arm4.elf
                        Arguments:/tmp/gigab.arm4.elf
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):02:03:44
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.arm4.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):02:03:44
                        Start date (UTC):24/03/2025
                        Path:/tmp/gigab.arm4.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1