Edit tour
Linux
Analysis Report
criptonize.sh4.elf
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Classification
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1500278 |
Start date and time: | 2024-08-28 07:21:13 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | criptonize.sh4.elf |
Detection: | CLEAN |
Classification: | clean1.linELF@0/0@0/0 |
Command: | /tmp/criptonize.sh4.elf |
PID: | 5523 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: |
- system is lnxubuntu20
- cleanup
⊘No yara matches
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | .symtab present: |
Source: | Classification label: |
Source: | Queries kernel information via 'uname': | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
⊘No configs have been found
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 6.25880563889621 |
TrID: |
|
File name: | criptonize.sh4.elf |
File size: | 116'852 bytes |
MD5: | 8a29c9f9c8d80684aac29a72ad1506f4 |
SHA1: | 6177bcf50dec851ff30f9cbafb6edfcdfdac76b6 |
SHA256: | 3282bc3a69c9be6bc5c74d2748f391023f6199bb01c9f1a6e6b293d769522947 |
SHA512: | 4b9396f9856d4e3e963c4da1f5500049f4b351abed378287a7fff52def746eeee52de95289d6cc79a88a7753e6a769523ae7ebb4bcddde657698ba42f462d3c8 |
SSDEEP: | 1536:zz/iPw4rW0s6+sKY84i5vvogHHwItR26Bs3nmUSTL3xwzSScfsCu:zzew4r9+sTk5vowaCs3nwzxOdcfzu |
TLSH: | 51B35AB3D8296FA8D914D8B4B4B48FB51763690841471FB96AABC3785083E8CF6407F9 |
File Content Preview: | .ELF..............*.......@.4...........4. ...(...............@...@..~...~....................B...B.DF..............Q.td............................././"O.n........#.*@........#.*@.^...o&O.n...l..............................././.../.a"O.!...n...a.b("...q. |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 3 |
Section Header Offset: | 116372 |
Section Header Size: | 40 |
Number of Section Headers: | 12 |
Header String Table Index: | 11 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x400094 | 0x94 | 0x30 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.text | PROGBITS | 0x4000e0 | 0xe0 | 0x15f00 | 0x0 | 0x6 | AX | 0 | 0 | 32 |
.fini | PROGBITS | 0x415fe0 | 0x15fe0 | 0x24 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.rodata | PROGBITS | 0x416004 | 0x16004 | 0x1ea8 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.eh_frame | PROGBITS | 0x428000 | 0x18000 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.ctors | PROGBITS | 0x428004 | 0x18004 | 0xc | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.dtors | PROGBITS | 0x428010 | 0x18010 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x428020 | 0x18020 | 0x4614 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
.got | PROGBITS | 0x42c634 | 0x1c634 | 0x10 | 0x4 | 0x3 | WA | 0 | 0 | 4 |
.bss | NOBITS | 0x42c644 | 0x1c644 | 0x47b0 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.shstrtab | STRTAB | 0x0 | 0x1c644 | 0x4d | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x400000 | 0x400000 | 0x17eac | 0x17eac | 6.9359 | 0x5 | R E | 0x10000 | .init .text .fini .rodata | |
LOAD | 0x18000 | 0x428000 | 0x428000 | 0x4644 | 0x8df4 | 0.3057 | 0x6 | RW | 0x10000 | .eh_frame .ctors .dtors .data .got .bss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x7 | RWE | 0x4 |
⊘No network behavior found
System Behavior
Start time (UTC): | 05:21:53 |
Start date (UTC): | 28/08/2024 |
Path: | /tmp/criptonize.sh4.elf |
Arguments: | /tmp/criptonize.sh4.elf |
File size: | 4139976 bytes |
MD5 hash: | 8943e5f8f8c280467b4472c15ae93ba9 |