Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
GoldAge3ATOmpsl.elf

Overview

General Information

Sample name:GoldAge3ATOmpsl.elf
Analysis ID:1648955
MD5:c4b8705dc8ae7e51d0122b4afeb9bed5
SHA1:2c3aec92a0f61e67e1870436ed01544fd960dc52
SHA256:92154f4dfb53fcaaa598b1e8cdf408043694f4714f8ccce544d5ce6abfdd6724
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1648955
Start date and time:2025-03-26 11:13:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:GoldAge3ATOmpsl.elf
Detection:MAL
Classification:mal56.linELF@0/0@2/0

Runtime Messages

Command:/tmp/GoldAge3ATOmpsl.elf
PID:5434
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • GoldAge3ATOmpsl.elf (PID: 5434, Parent: 5356, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/GoldAge3ATOmpsl.elf
  • dash New Fork (PID: 5503, Parent: 3588)
  • rm (PID: 5503, Parent: 3588, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.QP8jZXsbfb /tmp/tmp.SLck6z3khn /tmp/tmp.JWU2GPMxDp
  • dash New Fork (PID: 5504, Parent: 3588)
  • rm (PID: 5504, Parent: 3588, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.QP8jZXsbfb /tmp/tmp.SLck6z3khn /tmp/tmp.JWU2GPMxDp
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Persistence and Installation Behavior
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: GoldAge3ATOmpsl.elfAvira: detected
Source: GoldAge3ATOmpsl.elfVirustotal: Detection: 57%Perma Link
Source: GoldAge3ATOmpsl.elfReversingLabs: Detection: 66%
Source: unknownTCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknownTCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknownNetwork traffic detected: HTTP traffic on port 54636 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54636
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal56.linELF@0/0@2/0
Source: /usr/bin/dash (PID: 5503)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.QP8jZXsbfb /tmp/tmp.SLck6z3khn /tmp/tmp.JWU2GPMxDpJump to behavior
Source: /usr/bin/dash (PID: 5504)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.QP8jZXsbfb /tmp/tmp.SLck6z3khn /tmp/tmp.JWU2GPMxDpJump to behavior
Source: /tmp/GoldAge3ATOmpsl.elf (PID: 5434)Queries kernel information via 'uname': Jump to behavior
Source: GoldAge3ATOmpsl.elf, 5434.1.0000563888e33000.0000563888eba000.rw-.sdmpBinary or memory string: 8V!/etc/qemu-binfmt/mipsel
Source: GoldAge3ATOmpsl.elf, 5434.1.00007ffe97daa000.00007ffe97dcb000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/GoldAge3ATOmpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/GoldAge3ATOmpsl.elf
Source: GoldAge3ATOmpsl.elf, 5434.1.0000563888e33000.0000563888eba000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: GoldAge3ATOmpsl.elf, 5434.1.00007ffe97daa000.00007ffe97dcb000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: GoldAge3ATOmpsl.elf, 5434.1.00007ffe97daa000.00007ffe97dcb000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648955 Sample: GoldAge3ATOmpsl.elf Startdate: 26/03/2025 Architecture: LINUX Score: 56 12 34.254.182.186, 443, 54636 AMAZON-02US United States 2->12 14 daisy.ubuntu.com 2->14 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 6 dash rm 2->6         started        8 dash rm 2->8         started        10 GoldAge3ATOmpsl.elf 2->10         started        signatures3 process4

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
GoldAge3ATOmpsl.elf58%VirustotalBrowse
GoldAge3ATOmpsl.elf67%ReversingLabsLinux.Backdoor.Mirai
GoldAge3ATOmpsl.elf100%AviraEXP/ELF.Mirai.Bootnet.o

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    34.254.182.186
    		unknownUnited States
    		16509AMAZON-02USfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    34.254.182.186na.elfGet hashmaliciousPrometeiBrowse
      x86_64.elfGet hashmaliciousUnknownBrowse
        morte.arm5.elfGet hashmaliciousUnknownBrowse
          arm6.elfGet hashmaliciousUnknownBrowse
            ppc.elfGet hashmaliciousUnknownBrowse
              na.elfGet hashmaliciousPrometeiBrowse
                boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                  tarm5.elfGet hashmaliciousUnknownBrowse
                    arm5.elfGet hashmaliciousUnknownBrowse
                      arm7.elfGet hashmaliciousMiraiBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comfrosty.m68k.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        frosty.arm6.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        frosty.arm7.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        GoldAge3ATOppc.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        GoldAge3ATOx86.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        GoldAge3ATOx64.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        boatnet.m68k.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        boatnet.spc.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AMAZON-02USGoldAge3ATOarm6.elfGet hashmaliciousUnknownBrowse
                        • 34.249.145.219
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 34.249.145.219
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 34.249.145.219
                        frosty.arm5.elfGet hashmaliciousUnknownBrowse
                        • 34.249.145.219
                        http://support.delfi.comGet hashmaliciousUnknownBrowse
                        • 52.217.163.192
                        frosty.x86.elfGet hashmaliciousUnknownBrowse
                        • 52.35.74.183
                        frosty.mpsl.elfGet hashmaliciousUnknownBrowse
                        • 34.249.145.219
                        frosty.mips.elfGet hashmaliciousUnknownBrowse
                        • 34.249.145.219
                        frosty.spc.elfGet hashmaliciousUnknownBrowse
                        • 63.32.132.7
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 54.247.62.1

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                        Entropy (8bit):5.330820933874548
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:GoldAge3ATOmpsl.elf
                        File size:56'932 bytes
                        MD5:c4b8705dc8ae7e51d0122b4afeb9bed5
                        SHA1:2c3aec92a0f61e67e1870436ed01544fd960dc52
                        SHA256:92154f4dfb53fcaaa598b1e8cdf408043694f4714f8ccce544d5ce6abfdd6724
                        SHA512:b27a9ba545f3fd5ac648fee463317987dd6eac754c76c667c876ada5c039616fa788e948e49e9d6c1f2b58f18a3bc8cb87daeeb00f40f8f6540ecb80e8a6f52a
                        SSDEEP:768:HLrIQgl8t2gvgBg6NBT/Vqex53pe2eOLe5cdA7YXiKc4YuNu:HLrIQ88oMDPeTjXL6cdsWY
                        TLSH:20438209BF610FB7ECAFDD3709A9270524CD640B21A97B39BD34D918F24B21B19E3864
                        File Content Preview:.ELF....................`.@.4...\.......4. ...(...............@...@...........................D...D.................Q.td...............................<.X.'!......'.......................<.W.'!... .........9'.. ........................<.W.'!...........0.9

                        Static ELF Info

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:MIPS R3000
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - System V
                        ABI Version:0
                        Entry Point Address:0x400260
                        Flags:0x1007
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:3
                        Section Header Offset:56412
                        Section Header Size:40
                        Number of Section Headers:13
                        Header String Table Index:12

                        Sections

                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                        NULL0x00x00x00x00x0000
                        .initPROGBITS0x4000940x940x8c0x00x6AX004
                        .textPROGBITS0x4001200x1200xd0800x00x6AX0016
                        .finiPROGBITS0x40d1a00xd1a00x5c0x00x6AX004
                        .rodataPROGBITS0x40d2000xd2000x5100x00x2A0016
                        .ctorsPROGBITS0x44d7140xd7140x80x00x3WA004
                        .dtorsPROGBITS0x44d71c0xd71c0x80x00x3WA004
                        .dataPROGBITS0x44d7300xd7300x1900x00x3WA0016
                        .gotPROGBITS0x44d8c00xd8c00x3440x40x10000003WAp0016
                        .sbssNOBITS0x44dc040xdc040x240x00x10000003WAp004
                        .bssNOBITS0x44dc300xdc040x1f00x00x3WA0016
                        .mdebug.abi32PROGBITS0x61e0xdc040x00x00x0001
                        .shstrtabSTRTAB0x00xdc040x570x00x0001

                        Program Segments

                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x4000000x4000000xd7100xd7105.36370x5R E0x10000.init .text .fini .rodata
                        LOAD0xd7140x44d7140x44d7140x4f00x70c3.20240x6RW 0x10000.ctors .dtors .data .got .sbss .bss
                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                        Network Behavior

                        Download Network PCAP: filteredfull

                        Network Port Distribution

                        • Total Packets: 4
                        • 443 (HTTPS)
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 26, 2025 11:14:21.136425972 CET54636443192.168.2.1334.254.182.186
                        Mar 26, 2025 11:14:39.010349989 CET54636443192.168.2.1334.254.182.186
                        Mar 26, 2025 11:14:39.192328930 CET4435463634.254.182.186192.168.2.13
                        TimestampSource PortDest PortSource IPDest IP
                        Mar 26, 2025 11:14:10.756969929 CET5496453192.168.2.131.1.1.1
                        Mar 26, 2025 11:14:10.757133961 CET5306353192.168.2.131.1.1.1
                        Mar 26, 2025 11:14:10.855603933 CET53549641.1.1.1192.168.2.13
                        Mar 26, 2025 11:14:10.897111893 CET53530631.1.1.1192.168.2.13

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 26, 2025 11:14:10.756969929 CET192.168.2.131.1.1.10xcd0cStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Mar 26, 2025 11:14:10.757133961 CET192.168.2.131.1.1.10x8854Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 26, 2025 11:14:10.855603933 CET1.1.1.1192.168.2.130xcd0cNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                        Mar 26, 2025 11:14:10.855603933 CET1.1.1.1192.168.2.130xcd0cNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):10:14:07
                        Start date (UTC):26/03/2025
                        Path:/tmp/GoldAge3ATOmpsl.elf
                        Arguments:/tmp/GoldAge3ATOmpsl.elf
                        File size:5773336 bytes
                        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                        File Activities

                        Process Activities

                        System Activities

                        Network Activities


                        General

                        Start time (UTC):10:14:38
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/dash
                        Arguments:-
                        File size:129816 bytes
                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                        Process Activities


                        General

                        Start time (UTC):10:14:38
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/rm
                        Arguments:rm -f /tmp/tmp.QP8jZXsbfb /tmp/tmp.SLck6z3khn /tmp/tmp.JWU2GPMxDp
                        File size:72056 bytes
                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                        File Activities


                        General

                        Start time (UTC):10:14:38
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/dash
                        Arguments:-
                        File size:129816 bytes
                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                        Process Activities


                        General

                        Start time (UTC):10:14:38
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/rm
                        Arguments:rm -f /tmp/tmp.QP8jZXsbfb /tmp/tmp.SLck6z3khn /tmp/tmp.JWU2GPMxDp
                        File size:72056 bytes
                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                        File Activities