Edit tour

Linux Analysis Report
lol.mipsel.elf

Overview

General Information

Sample name:lol.mipsel.elf
Analysis ID:1670260
MD5:9128ee0ffa8ddb39484e731a76a7c822
SHA1:95174a67804208d5539acf6fe7d70dbcab8cbd3c
SHA256:fa8284ee9da3f3ef6b68538444cde32034302cf0dea218970e4b09f3485d5b72
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100

Signatures

Suricata IDS alerts for network traffic
Performs DNS TXT record lookups
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1670260
Start date and time:2025-04-21 12:58:19 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:lol.mipsel.elf
Detection:MAL
Classification:mal56.troj.evad.linELF@0/0@2/0
Command:/tmp/lol.mipsel.elf
PID:5479
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
snow slide
Standard Error:
  • system is lnxubuntu20
  • lol.mipsel.elf (PID: 5479, Parent: 5396, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/lol.mipsel.elf
  • cleanup
No yara matches
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-04-21T12:59:22.679137+020028120671Malware Command and Control Activity Detected192.168.2.13332828.8.8.853UDP

Click to jump to signature section

Show All Signature Results

Networking

barindex
Source: Network trafficSuricata IDS: 2812067 - Severity 1 - ETPRO MALWARE SOGU DNS CnC Channel TXT Lookup : 192.168.2.13:33282 -> 8.8.8.8:53
Source: unknownDNS query: name: stun.l.google.com
Source: global trafficTCP traffic: 192.168.2.13:32898 -> 77.232.43.209:8001
Source: global trafficUDP traffic: 192.168.2.13:40752 -> 74.125.250.129:19302
Source: /tmp/lol.mipsel.elf (PID: 5481)Socket: 127.0.0.1:24676Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: unknownTCP traffic detected without corresponding DNS query: 77.232.43.209
Source: global trafficDNS traffic detected: DNS query: 6mv1eyr328y6due83u3js6whtzuxfyhw.su
Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal56.troj.evad.linELF@0/0@2/0
Source: /tmp/lol.mipsel.elf (PID: 5479)Queries kernel information via 'uname': Jump to behavior
Source: lol.mipsel.elf, 5479.1.0000565101bf4000.0000565101c7b000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: lol.mipsel.elf, 5479.1.0000565101bf4000.0000565101c7b000.rw-.sdmpBinary or memory string: QV!/etc/qemu-binfmt/mipsel
Source: lol.mipsel.elf, 5479.1.00007fff853ce000.00007fff853ef000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel
Source: lol.mipsel.elf, 5479.1.00007fff853ce000.00007fff853ef000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/lol.mipsel.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/lol.mipsel.elf

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: 6mv1eyr328y6due83u3js6whtzuxfyhw.su
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1670260 Sample: lol.mipsel.elf Startdate: 21/04/2025 Architecture: LINUX Score: 56 11 stun.l.google.com 2->11 13 6mv1eyr328y6due83u3js6whtzuxfyhw.su 2->13 15 2 other IPs or domains 2->15 17 Suricata IDS alerts for network traffic 2->17 7 lol.mipsel.elf 2->7         started        signatures3 19 Uses STUN server to do NAT traversial 11->19 21 Performs DNS TXT record lookups 13->21 process4 process5 9 lol.mipsel.elf 7->9         started       
SourceDetectionScannerLabelLink
lol.mipsel.elf6%ReversingLabsLinux.Worm.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
stun.l.google.com
74.125.250.129
truefalse
    high
    6mv1eyr328y6due83u3js6whtzuxfyhw.su
    unknown
    unknownfalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      77.232.43.209
      unknownRussian Federation
      28968EUT-ASEUTIPNetworkRUfalse
      74.125.250.129
      stun.l.google.comUnited States
      15169GOOGLEUSfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      77.232.43.209lol.mipsel.elfGet hashmaliciousUnknownBrowse
        mips.elfGet hashmaliciousUnknownBrowse
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          EUT-ASEUTIPNetworkRUlol.mipsel.elfGet hashmaliciousUnknownBrowse
          • 77.232.43.209
          lol.armv5l.elfGet hashmaliciousUnknownBrowse
          • 77.232.39.173
          skid.mips.elfGet hashmaliciousUnknownBrowse
          • 77.232.39.173
          mips.elfGet hashmaliciousUnknownBrowse
          • 77.232.43.209
          .i.elfGet hashmaliciousMiraiBrowse
          • 77.232.49.152
          hiss.mips.elfGet hashmaliciousUnknownBrowse
          • 77.232.36.152
          hiss.arm7.elfGet hashmaliciousUnknownBrowse
          • 77.232.42.137
          hiss.arm5.elfGet hashmaliciousUnknownBrowse
          • 77.232.42.137
          nabm68k.elfGet hashmaliciousUnknownBrowse
          • 77.232.49.124
          spc.elfGet hashmaliciousMiraiBrowse
          • 62.181.57.176
          No context
          No context
          No created / dropped files found
          File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
          Entropy (8bit):5.250608837606172
          TrID:
          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
          File name:lol.mipsel.elf
          File size:158'440 bytes
          MD5:9128ee0ffa8ddb39484e731a76a7c822
          SHA1:95174a67804208d5539acf6fe7d70dbcab8cbd3c
          SHA256:fa8284ee9da3f3ef6b68538444cde32034302cf0dea218970e4b09f3485d5b72
          SHA512:b6df5bbbf04c6ee2508729d20c8c4892f1e32c6cf7238e49de5da6db629cbd208dfc5c06c0b709f7ebd8089acd1faddb28f11d600befda810ffd8cacdd31f00e
          SSDEEP:1536:ADucOR5Vyarl0H1jx7u3NuaYBdb1EIB7KHbDrX:tTXVnW1jgXy1E9T
          TLSH:36F3C8496FA13FFFC40FCC3341A98E1911AC564A63A6BF7B1F28E905B68614A49D3D4C
          File Content Preview:.ELF......................@.4...hh......4. ...(........p......@...@...........................@...@.Pd..Pd..............Pd..PdC.PdC.....4...........Q.td..................................................C....'...................< ..'!.............9'.. ....

          ELF header

          Class:ELF32
          Data:2's complement, little endian
          Version:1 (current)
          Machine:MIPS R3000
          Version Number:0x1
          Type:EXEC (Executable file)
          OS/ABI:UNIX - System V
          ABI Version:0
          Entry Point Address:0x4002a0
          Flags:0x1007
          ELF Header Size:52
          Program Header Offset:52
          Program Header Size:32
          Number of Program Headers:4
          Section Header Offset:157800
          Section Header Size:40
          Number of Section Headers:16
          Header String Table Index:15
          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
          NULL0x00x00x00x00x0000
          .reginfoMIPS_REGINFO0x4000b40xb40x180x180x2A004
          .initPROGBITS0x4000cc0xcc0x7c0x00x6AX004
          .textPROGBITS0x4001500x1500x25f200x00x6AX0016
          .finiPROGBITS0x4260700x260700x4c0x00x6AX004
          .rodataPROGBITS0x4260c00x260c00x3900x00x2A0016
          .eh_framePROGBITS0x4364500x264500x2c0x00x3WA004
          .ctorsPROGBITS0x43647c0x2647c0x80x00x3WA004
          .dtorsPROGBITS0x4364840x264840x80x00x3WA004
          .data.rel.roPROGBITS0x4364900x264900x4c0x00x3WA004
          .dataPROGBITS0x4364e00x264e00x300x00x3WA0016
          .gotPROGBITS0x4365100x265100x2e40x40x10000003WAp0016
          .sdataPROGBITS0x4367f40x267f40x40x00x10000003WAp004
          .sbssNOBITS0x4367f80x267f80x180x00x10000003WAp004
          .bssNOBITS0x4368100x267f80x6740x00x3WA0016
          .shstrtabSTRTAB0x00x267f80x700x00x0001
          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
          <unknown>0xb40x4000b40x4000b40x180x180.74170x4R 0x4.reginfo
          LOAD0x00x4000000x4000000x264500x264505.25140x5R E0x10000.reginfo .init .text .fini .rodata
          LOAD0x264500x4364500x4364500x3a80xa344.51860x6RW 0x10000.eh_frame .ctors .dtors .data.rel.ro .data .got .sdata .sbss .bss
          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

          Download Network PCAP: filteredfull

          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
          2025-04-21T12:59:22.679137+02002812067ETPRO MALWARE SOGU DNS CnC Channel TXT Lookup1192.168.2.13332828.8.8.853UDP
          • Total Packets: 26
          • 19302 undefined
          • 8001 undefined
          • 53 (DNS)
          TimestampSource PortDest PortSource IPDest IP
          Apr 21, 2025 12:59:22.875564098 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:23.232098103 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:23.232199907 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:23.232742071 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:23.589334011 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:23.589531898 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:23.945868015 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:23.945950031 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:23.946012974 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:23.948391914 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:24.345128059 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:24.345254898 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:24.701965094 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:24.701991081 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:24.702061892 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:25.091798067 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:25.488960028 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:25.489198923 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:25.845860004 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:25.845875978 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:25.845940113 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:41.264133930 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:41.264380932 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 12:59:56.623909950 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 12:59:56.624080896 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:00:06.948379993 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:00:06.948664904 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:00:06.948795080 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:00:07.346003056 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:00:07.346275091 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:00:07.702740908 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:00:22.740562916 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:00:22.740739107 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:00:38.605813026 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:00:38.606067896 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:00:54.476150036 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:00:54.476413965 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:01:05.181281090 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:01:05.181396008 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:01:05.181466103 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:01:05.538331032 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:01:05.538443089 CEST328988001192.168.2.1377.232.43.209
          Apr 21, 2025 13:01:05.894778967 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:01:21.627873898 CEST80013289877.232.43.209192.168.2.13
          Apr 21, 2025 13:01:21.628144979 CEST328988001192.168.2.1377.232.43.209
          TimestampSource PortDest PortSource IPDest IP
          Apr 21, 2025 12:59:22.679136992 CEST3328253192.168.2.138.8.8.8
          Apr 21, 2025 12:59:22.874016047 CEST53332828.8.8.8192.168.2.13
          Apr 21, 2025 12:59:24.702794075 CEST4215253192.168.2.138.8.8.8
          Apr 21, 2025 12:59:24.905596018 CEST53421528.8.8.8192.168.2.13
          Apr 21, 2025 12:59:24.906034946 CEST4075219302192.168.2.1374.125.250.129
          Apr 21, 2025 12:59:25.091280937 CEST193024075274.125.250.129192.168.2.13
          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Apr 21, 2025 12:59:22.679136992 CEST192.168.2.138.8.8.80x6fa0Standard query (0)6mv1eyr328y6due83u3js6whtzuxfyhw.su16IN (0x0001)false
          Apr 21, 2025 12:59:24.702794075 CEST192.168.2.138.8.8.80xfdc9Standard query (0)stun.l.google.comA (IP address)IN (0x0001)false
          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Apr 21, 2025 12:59:22.874016047 CEST8.8.8.8192.168.2.130x6fa0No error (0)6mv1eyr328y6due83u3js6whtzuxfyhw.suTXT (Text strings)IN (0x0001)false
          Apr 21, 2025 12:59:22.874016047 CEST8.8.8.8192.168.2.130x6fa0No error (0)6mv1eyr328y6due83u3js6whtzuxfyhw.suTXT (Text strings)IN (0x0001)false
          Apr 21, 2025 12:59:22.874016047 CEST8.8.8.8192.168.2.130x6fa0No error (0)6mv1eyr328y6due83u3js6whtzuxfyhw.suTXT (Text strings)IN (0x0001)false
          Apr 21, 2025 12:59:22.874016047 CEST8.8.8.8192.168.2.130x6fa0No error (0)6mv1eyr328y6due83u3js6whtzuxfyhw.suTXT (Text strings)IN (0x0001)false
          Apr 21, 2025 12:59:22.874016047 CEST8.8.8.8192.168.2.130x6fa0No error (0)6mv1eyr328y6due83u3js6whtzuxfyhw.suTXT (Text strings)IN (0x0001)false
          Apr 21, 2025 12:59:22.874016047 CEST8.8.8.8192.168.2.130x6fa0No error (0)6mv1eyr328y6due83u3js6whtzuxfyhw.suTXT (Text strings)IN (0x0001)false
          Apr 21, 2025 12:59:22.874016047 CEST8.8.8.8192.168.2.130x6fa0No error (0)6mv1eyr328y6due83u3js6whtzuxfyhw.suTXT (Text strings)IN (0x0001)false
          Apr 21, 2025 12:59:24.905596018 CEST8.8.8.8192.168.2.130xfdc9No error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false

          System Behavior

          Start time (UTC):10:59:21
          Start date (UTC):21/04/2025
          Path:/tmp/lol.mipsel.elf
          Arguments:/tmp/lol.mipsel.elf
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

          Start time (UTC):10:59:21
          Start date (UTC):21/04/2025
          Path:/tmp/lol.mipsel.elf
          Arguments:-
          File size:5773336 bytes
          MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9