Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
linux.elf

Overview

General Information

Sample name:linux.elf
Analysis ID:1674405
MD5:5d1ca537c4bedebf2f4d276d4199ea95
SHA1:15ecb943232ff81301dfdba1df88ca575ea047b2
SHA256:bae21a944b639ed2c7b70964288131274916a1d52ac906725b39a3e15d243cf0
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
Creates hidden files and/or directories
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1674405
Start date and time:2025-04-25 20:14:35 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:linux.elf
Detection:MAL
Classification:mal52.evad.linELF@0/0@0/0

Runtime Messages

Command:/tmp/linux.elf
PID:6235
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • linux.elf (PID: 6235, Parent: 6156, MD5: 5d1ca537c4bedebf2f4d276d4199ea95) Arguments: /tmp/linux.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: linux.elfVirustotal: Detection: 28%Perma Link
Source: linux.elfReversingLabs: Detection: 38%
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: linux.elfString found in binary or memory: http://upx.sf.net
Source: linux.elf, 6236.1.0000000000400000.0000000000b8f000.r-x.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/dev/urandom
Source: linux.elf, 6235.1.0000000000400000.0000000000b8f000.r-x.sdmp, linux.elf, 6236.1.0000000000400000.0000000000b8f000.r-x.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/dev/urandom/dev/randomMalformed
Source: linux.elf, 6235.1.0000000000400000.0000000000b8f000.r-x.sdmp, linux.elf, 6236.1.0000000000400000.0000000000b8f000.r-x.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/dev/urandom/dev/randomlenBadOffsetIOMalformedScro
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: LOAD without section mappingsProgram segment: 0x400000
Source: classification engineClassification label: mal52.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 4.02 Copyright (C) 1996-2023 the UPX Team. All Rights Reserved. $
Source: /tmp/linux.elf (PID: 6236)Directory: /proc/.Jump to behavior
Source: /tmp/linux.elf (PID: 6236)Directory: /proc/6236/.Jump to behavior
Source: linux.elfSubmission file: segment LOAD with 7.595 entropy (max. 8.0)
Source: linux.elfSubmission file: segment LOAD with 7.9491 entropy (max. 8.0)

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Hidden Files and Directories		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1674405 Sample: linux.elf Startdate: 25/04/2025 Architecture: LINUX Score: 52 11 109.202.202.202, 80 INIT7CH Switzerland 2->11 13 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->13 15 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Sample is packed with UPX 2->19 7 linux.elf 2->7         started        signatures3 process4 process5 9 linux.elf 7->9         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
linux.elf28%VirustotalBrowse
linux.elf39%ReversingLabsLinux.Trojan.Multiverze

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netlinux.elffalse
    		high
    https://docs.rs/getrandom#nodejs-es-module-support/dev/urandom/dev/randomMalformedlinux.elf, 6235.1.0000000000400000.0000000000b8f000.r-x.sdmp, linux.elf, 6236.1.0000000000400000.0000000000b8f000.r-x.sdmpfalse
      		high
      https://docs.rs/getrandom#nodejs-es-module-support/dev/urandom/dev/randomlenBadOffsetIOMalformedScrolinux.elf, 6235.1.0000000000400000.0000000000b8f000.r-x.sdmp, linux.elf, 6236.1.0000000000400000.0000000000b8f000.r-x.sdmpfalse
        		high
        https://docs.rs/getrandom#nodejs-es-module-support/dev/urandomlinux.elf, 6236.1.0000000000400000.0000000000b8f000.r-x.sdmpfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          109.202.202.202
          		unknownSwitzerland
          		13030INIT7CHfalse
          91.189.91.43
          		unknownUnited Kingdom
          		41231CANONICAL-ASGBfalse
          91.189.91.42
          		unknownUnited Kingdom
          		41231CANONICAL-ASGBfalse

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
          • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
          91.189.91.43arm5.elfGet hashmaliciousMiraiBrowse
            weedwget.elfGet hashmaliciousGafgyt, MiraiBrowse
              weedtelnetd.elfGet hashmaliciousGafgyt, MiraiBrowse
                weedntpd.elfGet hashmaliciousMirai, GafgytBrowse
                  na.elfGet hashmaliciousPrometeiBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            na.elfGet hashmaliciousPrometeiBrowse
                              91.189.91.42arm5.elfGet hashmaliciousMiraiBrowse
                                weedwget.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  weedtelnetd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    weedsshd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      weedntpd.elfGet hashmaliciousMirai, GafgytBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse

                                                  Domains

                                                  No context

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CANONICAL-ASGBarm5.elfGet hashmaliciousMiraiBrowse
                                                  • 91.189.91.42
                                                  weedwget.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 91.189.91.42
                                                  weedtelnetd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 91.189.91.42
                                                  weedsshd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 91.189.91.42
                                                  weedntpd.elfGet hashmaliciousMirai, GafgytBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 185.125.190.26
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  CANONICAL-ASGBarm5.elfGet hashmaliciousMiraiBrowse
                                                  • 91.189.91.42
                                                  weedwget.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 91.189.91.42
                                                  weedtelnetd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 91.189.91.42
                                                  weedsshd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 91.189.91.42
                                                  weedntpd.elfGet hashmaliciousMirai, GafgytBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 185.125.190.26
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  INIT7CHarm5.elfGet hashmaliciousMiraiBrowse
                                                  • 109.202.202.202
                                                  weedwget.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 109.202.202.202
                                                  weedtelnetd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 109.202.202.202
                                                  weedsshd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 109.202.202.202
                                                  weedntpd.elfGet hashmaliciousMirai, GafgytBrowse
                                                  • 109.202.202.202
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 109.202.202.202
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 109.202.202.202
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 109.202.202.202
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 109.202.202.202
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 109.202.202.202

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  No created / dropped files found

                                                  Static File Info

                                                  General

                                                  File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
                                                  Entropy (8bit):7.949062606634446
                                                  TrID:
                                                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                  File name:linux.elf
                                                  File size:3'631'236 bytes
                                                  MD5:5d1ca537c4bedebf2f4d276d4199ea95
                                                  SHA1:15ecb943232ff81301dfdba1df88ca575ea047b2
                                                  SHA256:bae21a944b639ed2c7b70964288131274916a1d52ac906725b39a3e15d243cf0
                                                  SHA512:9f5ecebb2c5ba5e1c4818219ebe55689cd648886d73c4bf6d0905a859734d32e725889172d3be429ae43511796e9e354039e28d27d2fc5c2c4c7d8b186cc2e4d
                                                  SSDEEP:98304:vdSFDyvEL91S9I9JeXudd6b9oyRq2dIrzJDvS4UDb4SjVqSA:vdSFhL9Vrk9oyM2SXJDFOxjkSA
                                                  TLSH:16F53399C8332AF2795E972EB73A07A43FA5BCFE5BDE78D007668DA54832DD14112300
                                                  File Content Preview:.ELF..............>......Z......@...................@.8...........................@.......@......................@.......................................e7......e7......@......Q.td....................................................#...UPX!.........u....x

                                                  Static ELF Info

                                                  ELF header

                                                  Class:ELF64
                                                  Data:2's complement, little endian
                                                  Version:1 (current)
                                                  Machine:Advanced Micro Devices X86-64
                                                  Version Number:0x1
                                                  Type:EXEC (Executable file)
                                                  OS/ABI:UNIX - System V
                                                  ABI Version:0
                                                  Entry Point Address:0x1185ad0
                                                  Flags:0x0
                                                  ELF Header Size:64
                                                  Program Header Offset:64
                                                  Program Header Size:56
                                                  Number of Program Headers:3
                                                  Section Header Offset:0
                                                  Section Header Size:0
                                                  Number of Section Headers:0
                                                  Header String Table Index:0

                                                  Program Segments

                                                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                  LOAD0x00x4000000x4000000x10000xa0ded87.59500x6RW 0x4000
                                                  LOAD0x00xe100000xe100000x3765960x3765967.94910x5R E0x4000
                                                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x10

                                                  Network Behavior

                                                  Download Network PCAP: filteredfull

                                                  Network Port Distribution

                                                  • Total Packets: 7
                                                  • 443 (HTTPS)
                                                  • 80 (HTTP)
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 25, 2025 20:15:21.673991919 CEST43928443192.168.2.2391.189.91.42
                                                  Apr 25, 2025 20:15:27.049264908 CEST42836443192.168.2.2391.189.91.43
                                                  Apr 25, 2025 20:15:28.584912062 CEST4251680192.168.2.23109.202.202.202
                                                  Apr 25, 2025 20:15:43.175019026 CEST43928443192.168.2.2391.189.91.42
                                                  Apr 25, 2025 20:15:53.413506031 CEST42836443192.168.2.2391.189.91.43
                                                  Apr 25, 2025 20:15:59.556685925 CEST4251680192.168.2.23109.202.202.202
                                                  Apr 25, 2025 20:16:24.129312992 CEST43928443192.168.2.2391.189.91.42

                                                  System Behavior

                                                  General

                                                  Start time (UTC):18:15:19
                                                  Start date (UTC):25/04/2025
                                                  Path:/tmp/linux.elf
                                                  Arguments:/tmp/linux.elf
                                                  File size:3631236 bytes
                                                  MD5 hash:5d1ca537c4bedebf2f4d276d4199ea95

                                                  File Activities

                                                  Process Activities


                                                  General

                                                  Start time (UTC):18:15:19
                                                  Start date (UTC):25/04/2025
                                                  Path:/tmp/linux.elf
                                                  Arguments:-
                                                  File size:3631236 bytes
                                                  MD5 hash:5d1ca537c4bedebf2f4d276d4199ea95

                                                  File Activities

                                                  Process Activities