Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
arc.elf

Overview

General Information

Sample name:arc.elf
Analysis ID:1646530
MD5:7e5b86d09c7cb30e860bb5bf55745521
SHA1:9ab3ea7d8512dc8e4c3db6492ef78c89e771fda5
SHA256:db901b478fdec9384af18b8e869c03616cc64ee251aeb8bebac50c1d20e309ee
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:56
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Yara detected Mirai
Executes the "rm" command used to delete files or directories

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646530
Start date and time:2025-03-24 05:07:51 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arc.elf
Detection:MAL
Classification:mal56.troj.linELF@0/0@0/0

Runtime Messages

Command:/tmp/arc.elf
PID:5547
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 5612, Parent: 3671)
  • rm (PID: 5612, Parent: 3671, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Apoo2bHQ80 /tmp/tmp.U1T417YSne /tmp/tmp.30oaB7M8FX
  • dash New Fork (PID: 5613, Parent: 3671)
  • rm (PID: 5613, Parent: 3671, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Apoo2bHQ80 /tmp/tmp.U1T417YSne /tmp/tmp.30oaB7M8FX
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
arc.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    • AV Detection
    • Networking
    • System Summary
    • Persistence and Installation Behavior
    • Stealing of Sensitive Information
    • Remote Access Functionality

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: arc.elfReversingLabs: Detection: 22%
    Source: unknownTCP traffic detected without corresponding DNS query: 34.254.182.186
    Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
    Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
    Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
    Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60072
    Source: unknownNetwork traffic detected: HTTP traffic on port 60072 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 44524 -> 443
    Source: classification engineClassification label: mal56.troj.linELF@0/0@0/0
    Source: /usr/bin/dash (PID: 5612)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Apoo2bHQ80 /tmp/tmp.U1T417YSne /tmp/tmp.30oaB7M8FXJump to behavior
    Source: /usr/bin/dash (PID: 5613)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Apoo2bHQ80 /tmp/tmp.U1T417YSne /tmp/tmp.30oaB7M8FXJump to behavior

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: arc.elf, type: SAMPLE

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: arc.elf, type: SAMPLE

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
    File Deletion    		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
    Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646530 Sample: arc.elf Startdate: 24/03/2025 Architecture: LINUX Score: 56 10 34.254.182.186, 443 AMAZON-02US United States 2->10 12 54.171.230.55, 443, 60072 AMAZON-02US United States 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected Mirai 2->16 6 dash rm 2->6         started        8 dash rm 2->8         started        signatures3 process4

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    arc.elf22%ReversingLabsLinux.Backdoor.Mirai

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Download Network PCAP: filteredfull

    Contacted Domains

    No contacted domains info

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    54.171.230.55
    		unknownUnited States
    		16509AMAZON-02USfalse
    34.254.182.186
    		unknownUnited States
    		16509AMAZON-02USfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    54.171.230.55morte.mips.elfGet hashmaliciousGafgyt, OkiruBrowse
      aarch64.elfGet hashmaliciousMiraiBrowse
        na.elfGet hashmaliciousPrometeiBrowse
          arm6.elfGet hashmaliciousMiraiBrowse
            na.elfGet hashmaliciousPrometeiBrowse
              gigab.arm5.elfGet hashmaliciousUnknownBrowse
                na.elfGet hashmaliciousPrometeiBrowse
                  updated.elfGet hashmaliciousUnknownBrowse
                    spc.elfGet hashmaliciousMiraiBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        34.254.182.186na.elfGet hashmaliciousPrometeiBrowse
                          yakuza.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                            na.elfGet hashmaliciousPrometeiBrowse
                              arm6.elfGet hashmaliciousMiraiBrowse
                                x.rar.elfGet hashmaliciousXmrigBrowse
                                  na.elfGet hashmaliciousPrometeiBrowse
                                    main_x86_64.elfGet hashmaliciousUnknownBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        miner.elfGet hashmaliciousUnknownBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AMAZON-02US#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exeGet hashmaliciousNjratBrowse
                                            • 18.197.239.5
                                            na.elfGet hashmaliciousPrometeiBrowse
                                            • 52.43.119.120
                                            gigab.x86.elfGet hashmaliciousUnknownBrowse
                                            • 34.249.145.219
                                            morte.mips.elfGet hashmaliciousGafgyt, OkiruBrowse
                                            • 54.171.230.55
                                            arm7.elfGet hashmaliciousUnknownBrowse
                                            • 34.249.145.219
                                            SecuriteInfo.com.Win64.CrypterX-gen.5834.27621.exeGet hashmaliciousVidarBrowse
                                            • 108.138.128.112
                                            aarch64.elfGet hashmaliciousMiraiBrowse
                                            • 34.249.145.219
                                            resgod.arm5.elfGet hashmaliciousMiraiBrowse
                                            • 54.77.209.255
                                            na.elfGet hashmaliciousPrometeiBrowse
                                            • 52.43.119.120
                                            na.elfGet hashmaliciousPrometeiBrowse
                                            • 54.247.62.1
                                            AMAZON-02US#U0440#U043e#U0431#U043b#U043e#U043a#U0441.exeGet hashmaliciousNjratBrowse
                                            • 18.197.239.5
                                            na.elfGet hashmaliciousPrometeiBrowse
                                            • 52.43.119.120
                                            gigab.x86.elfGet hashmaliciousUnknownBrowse
                                            • 34.249.145.219
                                            morte.mips.elfGet hashmaliciousGafgyt, OkiruBrowse
                                            • 54.171.230.55
                                            arm7.elfGet hashmaliciousUnknownBrowse
                                            • 34.249.145.219
                                            SecuriteInfo.com.Win64.CrypterX-gen.5834.27621.exeGet hashmaliciousVidarBrowse
                                            • 108.138.128.112
                                            aarch64.elfGet hashmaliciousMiraiBrowse
                                            • 34.249.145.219
                                            resgod.arm5.elfGet hashmaliciousMiraiBrowse
                                            • 54.77.209.255
                                            na.elfGet hashmaliciousPrometeiBrowse
                                            • 52.43.119.120
                                            na.elfGet hashmaliciousPrometeiBrowse
                                            • 54.247.62.1

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            No created / dropped files found

                                            Static File Info

                                            General

                                            File type:
                                            Entropy (8bit):6.454116349154812
                                            TrID:
                                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                            File name:arc.elf
                                            File size:116'116 bytes
                                            MD5:7e5b86d09c7cb30e860bb5bf55745521
                                            SHA1:9ab3ea7d8512dc8e4c3db6492ef78c89e771fda5
                                            SHA256:db901b478fdec9384af18b8e869c03616cc64ee251aeb8bebac50c1d20e309ee
                                            SHA512:e5bef19a5dd94d8b83cf8df2cf2d7fc1714ff0970151cdc322dd46fb2452a5ae5075f0dfeabf4f717025fabffc401db2637f4a603fac8091b3221976ff13bdd3
                                            SSDEEP:3072:+i7m/M3G6twoki710IQewITWDwnT3vEgQnZq:zb7WaaD68q
                                            TLSH:FFB3AEDBB34B5460C82247F90BD78B9E3E6332519E27C8E36C0E557A34791DB190A7D2
                                            File Content Preview:.ELF..............].........4...d.......4. ...(.....................L...L........ .......................~....... ..................................................................Q.td.......................................................................

                                            Network Behavior

                                            Download Network PCAP: filteredfull

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 24, 2025 05:08:43.839741945 CET44524443192.168.2.1534.254.182.186
                                            Mar 24, 2025 05:09:12.300236940 CET60072443192.168.2.1554.171.230.55
                                            Mar 24, 2025 05:09:12.300312996 CET4436007254.171.230.55192.168.2.15
                                            Mar 24, 2025 05:09:12.300388098 CET60072443192.168.2.1554.171.230.55
                                            Mar 24, 2025 05:09:12.301611900 CET60072443192.168.2.1554.171.230.55
                                            Mar 24, 2025 05:09:12.301629066 CET4436007254.171.230.55192.168.2.15
                                            Mar 24, 2025 05:10:12.299199104 CET60072443192.168.2.1554.171.230.55
                                            Mar 24, 2025 05:10:12.344326019 CET4436007254.171.230.55192.168.2.15
                                            Mar 24, 2025 05:10:48.105597973 CET4436007254.171.230.55192.168.2.15

                                            System Behavior

                                            General

                                            Start time (UTC):04:10:11
                                            Start date (UTC):24/03/2025
                                            Path:/usr/bin/dash
                                            Arguments:-
                                            File size:129816 bytes
                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                            Process Activities


                                            General

                                            Start time (UTC):04:10:11
                                            Start date (UTC):24/03/2025
                                            Path:/usr/bin/rm
                                            Arguments:rm -f /tmp/tmp.Apoo2bHQ80 /tmp/tmp.U1T417YSne /tmp/tmp.30oaB7M8FX
                                            File size:72056 bytes
                                            MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                            File Activities


                                            General

                                            Start time (UTC):04:10:11
                                            Start date (UTC):24/03/2025
                                            Path:/usr/bin/dash
                                            Arguments:-
                                            File size:129816 bytes
                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                            Process Activities


                                            General

                                            Start time (UTC):04:10:11
                                            Start date (UTC):24/03/2025
                                            Path:/usr/bin/rm
                                            Arguments:rm -f /tmp/tmp.Apoo2bHQ80 /tmp/tmp.U1T417YSne /tmp/tmp.30oaB7M8FX
                                            File size:72056 bytes
                                            MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                            File Activities