Edit tour

Linux Analysis Report
python3.7.3.elf

Overview

General Information

Sample name:python3.7.3.elf
Analysis ID:1669008
MD5:461cad01cc92c161ad6277e6ca375d89
SHA1:e9eb3924cf14de0c3aaf29fad085805d5ee858f1
SHA256:784711f8e62690df44b5c5157cc99837c422c2083b4fe0600d2d76b48e55e867
Tags:elfuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:52
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Found strings related to Crypto-Mining
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1669008
Start date and time:2025-04-19 04:19:40 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:python3.7.3.elf
Detection:MAL
Classification:mal52.mine.linELF@0/0@0/0
  • No process behavior to analyse as no analysis process or sample was found
Command:/tmp/python3.7.3.elf
PID:5432
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:
SourceRuleDescriptionAuthorStrings
python3.7.3.elfLinux_Cryptominer_Generic_5e56d076unknownunknown
  • 0x3f4d48:$a: 71 18 4C 89 FF FF D0 48 8B 84 24 A0 00 00 00 48 89 43 60 48 8B 84 24 98 00
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Bitcoin Miner

barindex
Source: python3.7.3.elfString found in binary or memory: stratum+tcp
Source: python3.7.3.elfString found in binary or memory: stratum+tcp
Source: global trafficTCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443

System Summary

barindex
Source: python3.7.3.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_5e56d076 Author: unknown
Source: python3.7.3.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_5e56d076 reference_sample = 32e1cb0369803f817a0c61f25ca410774b4f37882cab966133b4f3e9c74fac09, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Generic, fingerprint = e9ca9b9faee091afed534b89313d644a52476b4757663e1cdfbcbca379857740, id = 5e56d076-0d6d-4979-8ebc-52607dcdb42d, last_modified = 2022-01-26
Source: classification engineClassification label: mal52.mine.linELF@0/0@0/0
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669008 Sample: python3.7.3.elf Startdate: 19/04/2025 Architecture: LINUX Score: 52 6 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->6 8 Malicious sample detected (through community Yara rule) 2->8 10 Found strings related to Crypto-Mining 2->10 signatures3

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
185.125.190.26
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
185.125.190.26xd.arc.elfGet hashmaliciousUnknownBrowse
    morte.arm5.elfGet hashmaliciousUnknownBrowse
      meihao.arm6.elfGet hashmaliciousUnknownBrowse
        meihao.arm5.elfGet hashmaliciousUnknownBrowse
          na.elfGet hashmaliciousPrometeiBrowse
            .Smpsl.elfGet hashmaliciousUnknownBrowse
              boatnet.mips.elfGet hashmaliciousMiraiBrowse
                boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                  Space.arm6.elfGet hashmaliciousUnknownBrowse
                    boatnet.mips.elfGet hashmaliciousMiraiBrowse
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      tftp.elfGet hashmaliciousUnknownBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      na.elfGet hashmaliciousPrometeiBrowse
                      • 91.189.91.42
                      No context
                      No context
                      No created / dropped files found
                      File type:ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 84912936
                      Entropy (8bit):7.710541817678956
                      TrID:
                      • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                      • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                      File name:python3.7.3.elf
                      File size:28'057'376 bytes
                      MD5:461cad01cc92c161ad6277e6ca375d89
                      SHA1:e9eb3924cf14de0c3aaf29fad085805d5ee858f1
                      SHA256:784711f8e62690df44b5c5157cc99837c422c2083b4fe0600d2d76b48e55e867
                      SHA512:ec5ecdd56cea67bfbfbb18af03f234755f1529adc011966ff8e9a645c43b38a6e9f78cae7f105a9a1b149e930ef9089f0bea71d262d4d32a54fdbef58f8c71c6
                      SSDEEP:786432:Wbn12tO7HI1RPZ5+v0ECndt3y3Kq5Li73JqWrE4RwKY4tvE:W2OKRR5+vqt3y6q5LU3wmTYuc
                      TLSH:FF57F116F5B6A09CC1A5C938865FE5277E31F81C42306EBB6594EA311F72E308F2DB61
                      File Content Preview:.ELF..............>.......@.....@.......(...........@.8...@.!. .........@.......@.@.....@.@.....0.......0.......................p.......p.@.....p.@...............................................@.......@....................... ............................

                      Download Network PCAP: filteredfull

                      TimestampSource PortDest PortSource IPDest IP
                      Apr 19, 2025 04:20:35.640136003 CEST48202443192.168.2.13185.125.190.26
                      Apr 19, 2025 04:21:07.640233040 CEST48202443192.168.2.13185.125.190.26

                      System Behavior