Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
criptonize.sh4.elf

Overview

General Information

Sample name:criptonize.sh4.elf
Analysis ID:1500278
MD5:8a29c9f9c8d80684aac29a72ad1506f4
SHA1:6177bcf50dec851ff30f9cbafb6edfcdfdac76b6
SHA256:3282bc3a69c9be6bc5c74d2748f391023f6199bb01c9f1a6e6b293d769522947
Tags:elf

Detection

Score:1
Range:0 - 100
Whitelisted:false

Signatures

Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1500278
Start date and time:2024-08-28 07:21:13 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 15s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:criptonize.sh4.elf
Detection:CLEAN
Classification:clean1.linELF@0/0@0/0

Runtime Messages

Command:/tmp/criptonize.sh4.elf
PID:5523
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • criptonize.sh4.elf (PID: 5523, Parent: 5448, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/criptonize.sh4.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: clean1.linELF@0/0@0/0
Source: /tmp/criptonize.sh4.elf (PID: 5523)Queries kernel information via 'uname': Jump to behavior
Source: criptonize.sh4.elf, 5523.1.00007ffee4830000.00007ffee4851000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: criptonize.sh4.elf, 5523.1.0000558a31fcd000.0000558a32030000.rw-.sdmpBinary or memory string: U5!/etc/qemu-binfmt/sh4
Source: criptonize.sh4.elf, 5523.1.0000558a31fcd000.0000558a32030000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
Source: criptonize.sh4.elf, 5523.1.00007ffee4830000.00007ffee4851000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/criptonize.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/criptonize.sh4.elf

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):6.25880563889621
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:criptonize.sh4.elf
File size:116'852 bytes
MD5:8a29c9f9c8d80684aac29a72ad1506f4
SHA1:6177bcf50dec851ff30f9cbafb6edfcdfdac76b6
SHA256:3282bc3a69c9be6bc5c74d2748f391023f6199bb01c9f1a6e6b293d769522947
SHA512:4b9396f9856d4e3e963c4da1f5500049f4b351abed378287a7fff52def746eeee52de95289d6cc79a88a7753e6a769523ae7ebb4bcddde657698ba42f462d3c8
SSDEEP:1536:zz/iPw4rW0s6+sKY84i5vvogHHwItR26Bs3nmUSTL3xwzSScfsCu:zzew4r9+sTk5vowaCs3nwzxOdcfzu
TLSH:51B35AB3D8296FA8D914D8B4B4B48FB51763690841471FB96AABC3785083E8CF6407F9
File Content Preview:.ELF..............*.......@.4...........4. ...(...............@...@..~...~....................B...B.DF..............Q.td............................././"O.n........#.*@........#.*@.^...o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:<unknown>
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x4001a0
Flags:0x9
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:116372
Section Header Size:40
Number of Section Headers:12
Header String Table Index:11

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.initPROGBITS0x4000940x940x300x00x6AX004
.textPROGBITS0x4000e00xe00x15f000x00x6AX0032
.finiPROGBITS0x415fe00x15fe00x240x00x6AX004
.rodataPROGBITS0x4160040x160040x1ea80x00x2A004
.eh_framePROGBITS0x4280000x180000x40x00x3WA004
.ctorsPROGBITS0x4280040x180040xc0x00x3WA004
.dtorsPROGBITS0x4280100x180100x80x00x3WA004
.dataPROGBITS0x4280200x180200x46140x00x3WA0032
.gotPROGBITS0x42c6340x1c6340x100x40x3WA004
.bssNOBITS0x42c6440x1c6440x47b00x00x3WA004
.shstrtabSTRTAB0x00x1c6440x4d0x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x4000000x4000000x17eac0x17eac6.93590x5R E0x10000.init .text .fini .rodata
LOAD0x180000x4280000x4280000x46440x8df40.30570x6RW 0x10000.eh_frame .ctors .dtors .data .got .bss
GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

Network Behavior

No network behavior found

System Behavior

General

Start time (UTC):05:21:53
Start date (UTC):28/08/2024
Path:/tmp/criptonize.sh4.elf
Arguments:/tmp/criptonize.sh4.elf
File size:4139976 bytes
MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities