Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
eWOLEi2hJg.elf

Overview

General Information

Sample name:eWOLEi2hJg.elf
renamed because original name is a hash value
Original sample name:d75994684d5bc04028dca45e93e58f716e06f69f173cf4ab47f9c68d5436a247.elf
Analysis ID:1520719
MD5:428a5618b90e0d98b96205ce2b40bf14
SHA1:a14953444955b6049d402bb5445d25a9ea794c9a
SHA256:d75994684d5bc04028dca45e93e58f716e06f69f173cf4ab47f9c68d5436a247
Tags:45-124-64-27elfuser-JAMESWT_MHT
Infos:

Detection

ConnectBack
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected ConnectBack
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Detected TCP or UDP traffic on non-standard ports
Sample contains only a LOAD segment without any section mappings

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1520719
Start date and time:2024-09-27 19:12:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:eWOLEi2hJg.elf
renamed because original name is a hash value
Original Sample Name:d75994684d5bc04028dca45e93e58f716e06f69f173cf4ab47f9c68d5436a247.elf
Detection:MAL
Classification:mal72.troj.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: eWOLEi2hJg.elf

Runtime Messages

Command:/tmp/eWOLEi2hJg.elf
PID:5435
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • eWOLEi2hJg.elf (PID: 5435, Parent: 5357, MD5: 428a5618b90e0d98b96205ce2b40bf14) Arguments: /tmp/eWOLEi2hJg.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
ConnectBackConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim's device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.connectback

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5435.1.0000000000400000.0000000000401000.rwx.sdmpJoeSecurity_ConnectBackYara detected ConnectBackJoe Security

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 5435.1.0000000000400000.0000000000401000.rwx.sdmpMalware Configuration Extractor: ConnectBack {"C2": "45.124.64.27:47159"}
    Multi AV Scanner detection for submitted file
    Source: eWOLEi2hJg.elfReversingLabs: Detection: 50%
    Machine Learning detection for sample
    Source: eWOLEi2hJg.elfJoe Sandbox ML: detected

    Networking

    barindex
    Connects to many ports of the same IP (likely port scanning)
    Source: global trafficTCP traffic: 45.124.64.27 ports 47159,1,4,5,7,9
    Source: global trafficTCP traffic: 192.168.2.13:53150 -> 45.124.64.27:47159
    Source: unknownTCP traffic detected without corresponding DNS query: 45.124.64.27
    Source: unknownTCP traffic detected without corresponding DNS query: 45.124.64.27
    Source: unknownTCP traffic detected without corresponding DNS query: 45.124.64.27
    Source: unknownTCP traffic detected without corresponding DNS query: 45.124.64.27
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
    Source: LOAD without section mappingsProgram segment: 0x400000
    Source: classification engineClassification label: mal72.troj.linELF@0/0@2/0

    Stealing of Sensitive Information

    barindex
    Yara detected ConnectBack
    Source: Yara matchFile source: 5435.1.0000000000400000.0000000000401000.rwx.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Yara detected ConnectBack
    Source: Yara matchFile source: 5435.1.0000000000400000.0000000000401000.rwx.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
    Non-Standard Port    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact

    Malware Configuration

    Threatname: ConnectBack

    {"C2": "45.124.64.27:47159"}

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    eWOLEi2hJg.elf50%ReversingLabsLinux.Backdoor.Meterpreter
    eWOLEi2hJg.elf100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    daisy.ubuntu.com
    		162.213.35.24
    		truefalse
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      45.124.64.27
      		unknownHong Kong
      		36351SOFTLAYERUStrue

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      daisy.ubuntu.comSecuriteInfo.com.ELF.FastReverseProxy-D.16458.15476.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.25
      pl.spc.elfGet hashmaliciousGafgytBrowse
      • 162.213.35.25
      pl.x86.elfGet hashmaliciousGafgytBrowse
      • 162.213.35.24
      pl.arm5.elfGet hashmaliciousGafgytBrowse
      • 162.213.35.24
      pl.m68.elfGet hashmaliciousGafgytBrowse
      • 162.213.35.25
      pl.mips.elfGet hashmaliciousGafgytBrowse
      • 162.213.35.25
      pl.ppc.elfGet hashmaliciousGafgytBrowse
      • 162.213.35.25
      pl.sh4.elfGet hashmaliciousGafgytBrowse
      • 162.213.35.25
      pl.arm4t.elfGet hashmaliciousGafgytBrowse
      • 162.213.35.24
      i586.elfGet hashmaliciousUnknownBrowse
      • 162.213.35.24

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      SOFTLAYERUShttps://uhcdenal.com/Get hashmaliciousUnknownBrowse
      • 52.116.53.155
      z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
      • 43.226.229.233
      SecuriteInfo.com.Linux.Siggen.9999.1529.24643.elfGet hashmaliciousUnknownBrowse
      • 169.63.50.112
      http://pub-d64d63bc9b0049929bfeb3afd89bfb4d.r2.dev/file.htmlGet hashmaliciousHTMLPhisherBrowse
      • 169.55.190.245
      Awb_Shipping_Documents_BL_Invoice_Packinglist_0000000000000000000000pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
      • 172.111.137.137
      http://pub-d64d63bc9b0049929bfeb3afd89bfb4d.r2.dev/file.htmlGet hashmaliciousHTMLPhisherBrowse
      • 169.55.190.245
      SecuriteInfo.com.Linux.Siggen.9999.32167.12194.elfGet hashmaliciousUnknownBrowse
      • 70.87.118.83
      SecuriteInfo.com.Linux.Siggen.9999.11593.30273.elfGet hashmaliciousUnknownBrowse
      • 173.192.57.8
      http://17ebook.comGet hashmaliciousUnknownBrowse
      • 52.116.53.155
      https://bankllist.usGet hashmaliciousUnknownBrowse
      • 52.116.53.150

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
      Entropy (8bit):5.309859275769177
      TrID:
      • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
      • ELF Executable and Linkable format (generic) (4004/1) 49.84%
      File name:eWOLEi2hJg.elf
      File size:295 bytes
      MD5:428a5618b90e0d98b96205ce2b40bf14
      SHA1:a14953444955b6049d402bb5445d25a9ea794c9a
      SHA256:d75994684d5bc04028dca45e93e58f716e06f69f173cf4ab47f9c68d5436a247
      SHA512:11faf46cc55e07b01a36b1f57bebf5d8eaa740a1f4d96df197672985d73aaea05c7f9cc9c110e785703dc4b986afc056bbd53382f960aad29aa2aa81e49c319a
      SSDEEP:6:BnX//In8/r1aklZRRzvO2+vVo1LvqeR552m1yKcyBHKRec:BvwncrQ6T6nVoBvvRn2m1Byec
      TLSH:95E0A747174713CFD2614D79C4D803312AF3D077F2615B2799A6251A380795D0C31964
      File Content Preview:.ELF..............>.....x.@.....@...................@.8...........................@.......@.....'.......................H1.H......H......H..a..L...H1X'H-................0.}A`..;......F...&.K..........`..I..y.Z.?.1..{V....[.J..... ..d...Hs.../.T.`.....I..^

      Static ELF Info

      ELF header

      Class:ELF64
      Data:2's complement, little endian
      Version:1 (current)
      Machine:Advanced Micro Devices X86-64
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - System V
      ABI Version:0
      Entry Point Address:0x400078
      Flags:0x0
      ELF Header Size:64
      Program Header Offset:64
      Program Header Size:56
      Number of Program Headers:1
      Section Header Offset:0
      Section Header Size:0
      Number of Section Headers:0
      Header String Table Index:0

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x4000000x4000000x1270x1d65.30990x7RWE0x1000

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 27, 2024 19:12:54.682404995 CEST5315047159192.168.2.1345.124.64.27
      Sep 27, 2024 19:12:54.687553883 CEST471595315045.124.64.27192.168.2.13
      Sep 27, 2024 19:12:54.687746048 CEST5315047159192.168.2.1345.124.64.27
      Sep 27, 2024 19:12:56.706355095 CEST471595315045.124.64.27192.168.2.13
      Sep 27, 2024 19:12:56.708197117 CEST5315047159192.168.2.1345.124.64.27
      Sep 27, 2024 19:12:56.924277067 CEST5315047159192.168.2.1345.124.64.27
      Sep 27, 2024 19:12:56.929364920 CEST471595315045.124.64.27192.168.2.13

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 27, 2024 19:12:57.383703947 CEST5958853192.168.2.131.1.1.1
      Sep 27, 2024 19:12:57.383754969 CEST5488953192.168.2.131.1.1.1
      Sep 27, 2024 19:12:57.390851974 CEST53595881.1.1.1192.168.2.13
      Sep 27, 2024 19:12:57.390968084 CEST53548891.1.1.1192.168.2.13

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Sep 27, 2024 19:12:57.383703947 CEST192.168.2.131.1.1.10x74c8Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
      Sep 27, 2024 19:12:57.383754969 CEST192.168.2.131.1.1.10x770bStandard query (0)daisy.ubuntu.com28IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Sep 27, 2024 19:12:57.390851974 CEST1.1.1.1192.168.2.130x74c8No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
      Sep 27, 2024 19:12:57.390851974 CEST1.1.1.1192.168.2.130x74c8No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

      System Behavior

      General

      Start time (UTC):17:12:53
      Start date (UTC):27/09/2024
      Path:/tmp/eWOLEi2hJg.elf
      Arguments:/tmp/eWOLEi2hJg.elf
      File size:295 bytes
      MD5 hash:428a5618b90e0d98b96205ce2b40bf14

      Chronological Activities