Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
python3.7.3.elf

Overview

General Information

Sample name:python3.7.3.elf
Analysis ID:1669008
MD5:461cad01cc92c161ad6277e6ca375d89
SHA1:e9eb3924cf14de0c3aaf29fad085805d5ee858f1
SHA256:784711f8e62690df44b5c5157cc99837c422c2083b4fe0600d2d76b48e55e867
Tags:elfuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:52
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Found strings related to Crypto-Mining
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1669008
Start date and time:2025-04-19 04:19:40 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:python3.7.3.elf
Detection:MAL
Classification:mal52.mine.linELF@0/0@0/0
  • No process behavior to analyse as no analysis process or sample was found

Runtime Messages

Command:/tmp/python3.7.3.elf
PID:5432
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
python3.7.3.elfLinux_Cryptominer_Generic_5e56d076unknownunknown
  • 0x3f4d48:$a: 71 18 4C 89 FF FF D0 48 8B 84 24 A0 00 00 00 48 89 43 60 48 8B 84 24 98 00

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Bitcoin Miner
  • Networking
  • System Summary

Click to jump to signature section

Show All Signature Results

Bitcoin Miner

barindex
Source: python3.7.3.elfString found in binary or memory: stratum+tcp
Source: python3.7.3.elfString found in binary or memory: stratum+tcp
Source: global trafficTCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443

System Summary

barindex
Source: python3.7.3.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_5e56d076 Author: unknown
Source: python3.7.3.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_5e56d076 reference_sample = 32e1cb0369803f817a0c61f25ca410774b4f37882cab966133b4f3e9c74fac09, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Generic, fingerprint = e9ca9b9faee091afed534b89313d644a52476b4757663e1cdfbcbca379857740, id = 5e56d076-0d6d-4979-8ebc-52607dcdb42d, last_modified = 2022-01-26
Source: classification engineClassification label: mal52.mine.linELF@0/0@0/0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669008 Sample: python3.7.3.elf Startdate: 19/04/2025 Architecture: LINUX Score: 52 6 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->6 8 Malicious sample detected (through community Yara rule) 2->8 10 Found strings related to Crypto-Mining 2->10 signatures3

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
185.125.190.26
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
185.125.190.26xd.arc.elfGet hashmaliciousUnknownBrowse
    morte.arm5.elfGet hashmaliciousUnknownBrowse
      meihao.arm6.elfGet hashmaliciousUnknownBrowse
        meihao.arm5.elfGet hashmaliciousUnknownBrowse
          na.elfGet hashmaliciousPrometeiBrowse
            .Smpsl.elfGet hashmaliciousUnknownBrowse
              boatnet.mips.elfGet hashmaliciousMiraiBrowse
                boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                  Space.arm6.elfGet hashmaliciousUnknownBrowse
                    boatnet.mips.elfGet hashmaliciousMiraiBrowse

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      tftp.elfGet hashmaliciousUnknownBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 84912936
                      Entropy (8bit):7.710541817678956
                      TrID:
                      • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                      • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                      File name:python3.7.3.elf
                      File size:28'057'376 bytes
                      MD5:461cad01cc92c161ad6277e6ca375d89
                      SHA1:e9eb3924cf14de0c3aaf29fad085805d5ee858f1
                      SHA256:784711f8e62690df44b5c5157cc99837c422c2083b4fe0600d2d76b48e55e867
                      SHA512:ec5ecdd56cea67bfbfbb18af03f234755f1529adc011966ff8e9a645c43b38a6e9f78cae7f105a9a1b149e930ef9089f0bea71d262d4d32a54fdbef58f8c71c6
                      SSDEEP:786432:Wbn12tO7HI1RPZ5+v0ECndt3y3Kq5Li73JqWrE4RwKY4tvE:W2OKRR5+vqt3y6q5LU3wmTYuc
                      TLSH:FF57F116F5B6A09CC1A5C938865FE5277E31F81C42306EBB6594EA311F72E308F2DB61
                      File Content Preview:.ELF..............>.......@.....@.......(...........@.8...@.!. .........@.......@.@.....@.@.....0.......0.......................p.......p.@.....p.@...............................................@.......@....................... ............................

                      Network Behavior

                      Download Network PCAP: filteredfull

                      TimestampSource PortDest PortSource IPDest IP
                      Apr 19, 2025 04:20:35.640136003 CEST48202443192.168.2.13185.125.190.26
                      Apr 19, 2025 04:21:07.640233040 CEST48202443192.168.2.13185.125.190.26

                      System Behavior