Linux
Analysis Report
mpsl.elf
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Signatures
Classification
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1660217 |
Start date and time: | 2025-04-09 06:00:44 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 8s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | mpsl.elf |
Detection: | MAL |
Classification: | mal52.troj.linELF@0/2@0/0 |
Command: | /tmp/mpsl.elf |
PID: | 6259 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | For God so loved the world |
Standard Error: |
- • AV Detection
- • Networking
- • System Summary
- • Persistence and Installation Behavior
- • Malware Analysis System Evasion
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Socket: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: |
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: | ||
Source: | String containing potential weak password found: |
Source: | .symtab present: |
Source: | Classification label: |
Persistence and Installation Behavior |
---|
Source: | File: | Jump to behavior |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Rm executable: | ||
Source: | Rm executable: |
Source: | Queries kernel information via 'uname': |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 File Deletion | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | 1 Brute Force | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
33% | ReversingLabs | Linux.Backdoor.Gafgyt | ||
38% | Virustotal | Browse |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
34.249.145.219 | unknown | United States | 16509 | AMAZON-02US | false | |
109.202.202.202 | unknown | Switzerland | 13030 | INIT7CH | false | |
91.189.91.43 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
91.189.91.42 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false |
Process: | /tmp/mpsl.elf |
File Type: | |
Category: | dropped |
Size (bytes): | 362 |
Entropy (8bit): | 3.7946852578785095 |
Encrypted: | false |
SSDEEP: | 6:URA/tIgDF6Fk7CY/VmsDF6FfKyVPj/VKAvVVyAb/3hM/V+4D/VH:IA/fkGfkxKyyaVIAbRMfF |
MD5: | 8626E24C6C375B0C8466940FC112645A |
SHA1: | 2136BA9FFB8B60A4928B6452CA8D1CD07ECA49F7 |
SHA-256: | 98B805DF166243F79DA32E0DE9EEA74C1AEDBFA8B6DD8FA388DE53B74F3A7D40 |
SHA-512: | A497A7DA93E453F683100984BBC1B17516A6CD88206304AD36741ABF65D15683FB7E2F896C0EED4FBEFAB29C4ED81F49A8416F5985757645AE65E3264F3E4C71 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | /tmp/mpsl.elf |
File Type: | |
Category: | dropped |
Size (bytes): | 362 |
Entropy (8bit): | 3.7946852578785095 |
Encrypted: | false |
SSDEEP: | 6:URA/tIgDF6Fk7CY/VmsDF6FfKyVPj/VKAvVVyAb/3hM/V+4D/VH:IA/fkGfkxKyyaVIAbRMfF |
MD5: | 8626E24C6C375B0C8466940FC112645A |
SHA1: | 2136BA9FFB8B60A4928B6452CA8D1CD07ECA49F7 |
SHA-256: | 98B805DF166243F79DA32E0DE9EEA74C1AEDBFA8B6DD8FA388DE53B74F3A7D40 |
SHA-512: | A497A7DA93E453F683100984BBC1B17516A6CD88206304AD36741ABF65D15683FB7E2F896C0EED4FBEFAB29C4ED81F49A8416F5985757645AE65E3264F3E4C71 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.143485756645029 |
TrID: |
|
File name: | mpsl.elf |
File size: | 190'848 bytes |
MD5: | 5abd0891a6ecdfb5ef8fbeb1a4fc008b |
SHA1: | 2c72436f58832dd88c9cff1832834f02f7d4ce1c |
SHA256: | 7580c54b9b7ee808e4b2d097b9f228b42852e8d6173cb7833e610cbd4146b122 |
SHA512: | ab91740ffc077b5808fe9ed7280fb1fde5aaef68dd934a0637ca6aedafe771bb2cd04dac23c8dbd7acda1a031f052587af74c0f1b3734ad46cc0df5bc515a199 |
SSDEEP: | 1536:cchMHxAJL5x1Yu4o2tIMOrMiNHbDrVmPHY0NyakOtsElddTlnOArV:cchaxAJdfj4EWY0BBd5 |
TLSH: | BD148486BF503EFFC85ECD3751A4CA0A129C895D5294BFB66A34E414B68B10E99C3C9C |
File Content Preview: | .ELF....................`.@.4...x.......4. ...(...............@...@.`...`...............<...<.C.<.C......O..........Q.td...............................'...................<xa.'!.............9'.. ........................<Ha.'!... .........9'.. ............ |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 3 |
Section Header Offset: | 190328 |
Section Header Size: | 40 |
Number of Section Headers: | 13 |
Header String Table Index: | 12 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x400094 | 0x94 | 0x7c | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.text | PROGBITS | 0x400110 | 0x110 | 0x2ab70 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.fini | PROGBITS | 0x42ac80 | 0x2ac80 | 0x4c | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.rodata | PROGBITS | 0x42acd0 | 0x2acd0 | 0x2b90 | 0x0 | 0x2 | A | 0 | 0 | 16 |
.ctors | PROGBITS | 0x43e03c | 0x2e03c | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.dtors | PROGBITS | 0x43e044 | 0x2e044 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.data.rel.ro | PROGBITS | 0x43e050 | 0x2e050 | 0x108 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x43e160 | 0x2e160 | 0xd0 | 0x0 | 0x3 | WA | 0 | 0 | 16 |
.got | PROGBITS | 0x43e230 | 0x2e230 | 0x4f0 | 0x4 | 0x10000003 | WAp | 0 | 0 | 16 |
.sbss | NOBITS | 0x43e720 | 0x2e720 | 0x1c | 0x0 | 0x10000003 | WAp | 0 | 0 | 4 |
.bss | NOBITS | 0x43e740 | 0x2e720 | 0x4800 | 0x0 | 0x3 | WA | 0 | 0 | 16 |
.shstrtab | STRTAB | 0x0 | 0x2e720 | 0x56 | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x400000 | 0x400000 | 0x2d860 | 0x2d860 | 5.1777 | 0x5 | R E | 0x10000 | .init .text .fini .rodata | |
LOAD | 0x2e03c | 0x43e03c | 0x43e03c | 0x6e4 | 0x4f04 | 4.7761 | 0x6 | RW | 0x10000 | .ctors .dtors .data.rel.ro .data .got .sbss .bss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x7 | RWE | 0x4 |
- Total Packets: 10
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 9, 2025 06:01:55.468121052 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Apr 9, 2025 06:01:56.184232950 CEST | 39258 | 443 | 192.168.2.23 | 34.249.145.219 |
Apr 9, 2025 06:01:56.184278965 CEST | 443 | 39258 | 34.249.145.219 | 192.168.2.23 |
Apr 9, 2025 06:01:56.186703920 CEST | 39258 | 443 | 192.168.2.23 | 34.249.145.219 |
Apr 9, 2025 06:01:56.186703920 CEST | 39258 | 443 | 192.168.2.23 | 34.249.145.219 |
Apr 9, 2025 06:01:56.186736107 CEST | 443 | 39258 | 34.249.145.219 | 192.168.2.23 |
Apr 9, 2025 06:02:01.099386930 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Apr 9, 2025 06:02:15.945324898 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Apr 9, 2025 06:02:17.993110895 CEST | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Apr 9, 2025 06:02:28.231614113 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Apr 9, 2025 06:02:56.178708076 CEST | 39258 | 443 | 192.168.2.23 | 34.249.145.219 |
Apr 9, 2025 06:02:56.224287987 CEST | 443 | 39258 | 34.249.145.219 | 192.168.2.23 |
Apr 9, 2025 06:02:56.899787903 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
System Behavior
Start time (UTC): | 04:01:52 |
Start date (UTC): | 09/04/2025 |
Path: | /tmp/mpsl.elf |
Arguments: | /tmp/mpsl.elf |
File size: | 5773336 bytes |
MD5 hash: | 0d6f61f82cf2f781c6eb0661071d42d9 |
Start time (UTC): | 04:01:56 |
Start date (UTC): | 09/04/2025 |
Path: | /tmp/mpsl.elf |
Arguments: | - |
File size: | 5773336 bytes |
MD5 hash: | 0d6f61f82cf2f781c6eb0661071d42d9 |
Start time (UTC): | 04:02:54 |
Start date (UTC): | 09/04/2025 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 04:02:54 |
Start date (UTC): | 09/04/2025 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.VRkxPVJ6Sj /tmp/tmp.ncrIJiM7Dj /tmp/tmp.joQWAPCCbe |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 04:02:54 |
Start date (UTC): | 09/04/2025 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 04:02:54 |
Start date (UTC): | 09/04/2025 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.VRkxPVJ6Sj /tmp/tmp.ncrIJiM7Dj /tmp/tmp.joQWAPCCbe |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |