Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
novo.arc.elf

Overview

General Information

Sample name:novo.arc.elf
Analysis ID:1524311
MD5:e41ae522e75f99fd201c12422105b9de
SHA1:da3106437b59819b9b2a623ee4df8b321749c47f
SHA256:e5bdf8673189aa17307d5373e0ea771efc75b343cdddfd4e9e3a471b4a6a577a
Tags:elfMirainovouser-NDA0E
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Mirai
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1524311
Start date and time:2024-10-02 18:12:39 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:novo.arc.elf
Detection:MAL
Classification:mal72.troj.linELF@0/0@0/0

Errors

  • No process behavior to analyse as no analysis process or sample was found

Warnings

  • VT rate limit hit for: novo.arc.elf

Runtime Messages

Command:/tmp/novo.arc.elf
PID:5450
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
novo.arc.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    novo.arc.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x11470:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11484:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11498:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x114ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x114c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x114d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x114e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x114fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11510:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11524:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11538:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1154c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11560:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11574:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11588:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1159c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x115b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x115c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x115d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x115ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11600:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    novo.arc.elfLinux_Trojan_Mirai_0bce98a2unknownunknown
    • 0x11b0c:$a: 4B 52 41 00 46 47 44 43 57 4E 56 00 48 57 43 4C 56 47 41 4A
    novo.arc.elfMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
    • 0x11d60:$s1: LCOGQGPTGP
    • 0x11bbc:$s3: CFOKLKQVPCVMP
    • 0x11ba0:$s4: QWRGPTKQMP
    • 0x11b18:$s5: HWCLVGAJ

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: novo.arc.elfAvira: detected
    Multi AV Scanner detection for submitted file
    Source: novo.arc.elfReversingLabs: Detection: 43%

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: novo.arc.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: novo.arc.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
    Source: novo.arc.elf, type: SAMPLEMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: Initial sampleString containing 'busybox' found: /bin/busybox
    Source: Initial sampleString containing 'busybox' found: unk_v1/bin/busybox/bin/watchdog/bin/systemdrm -rf && rm -rf novo*3f
    Source: ELF static info symbol of initial sample.symtab present: no
    Source: novo.arc.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: novo.arc.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
    Source: novo.arc.elf, type: SAMPLEMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: classification engineClassification label: mal72.troj.linELF@0/0@0/0

    Stealing of Sensitive Information

    barindex
    Yara detected Mirai
    Source: Yara matchFile source: novo.arc.elf, type: SAMPLE

    Remote Access Functionality

    barindex
    Yara detected Mirai
    Source: Yara matchFile source: novo.arc.elf, type: SAMPLE

    Mitre Att&ck Matrix

    No Mitre Att&ck techniques found

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    novo.arc.elf43%ReversingLabsLinux.Backdoor.Mirai
    novo.arc.elf100%AviraLINUX/Mirai.bonb

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), statically linked, stripped
    Entropy (8bit):6.5820793392346335
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:novo.arc.elf
    File size:107'804 bytes
    MD5:e41ae522e75f99fd201c12422105b9de
    SHA1:da3106437b59819b9b2a623ee4df8b321749c47f
    SHA256:e5bdf8673189aa17307d5373e0ea771efc75b343cdddfd4e9e3a471b4a6a577a
    SHA512:e4d13655503454e538648a8f8784c7a8e909ebb88487a5d4fcad0be59c865a4a5ef9aa2e9f486035f117a6b319468abfdc9fe030f98375aaa225fd01b900b516
    SSDEEP:1536:/N2T9K8a3SVhv3B7LLjm3E3vC6CnnlFwSnpGpHPWIgVMwbZnT/LW3:/NkK8a+hVLIqqxnpnpGRPpgVMwbZnTq
    TLSH:FFB38EABF3471890C45247F05BCB9F9E3E6322C19F2B95F72C6A2A369C790C74905B91
    File Content Preview:.ELF..............].....0...4...........4. ...(.................................. ..................t....>....... ..................................................................Q.td.......................................................................

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:<unknown>
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x10930
    Flags:0x403
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:5
    Section Header Offset:107244
    Section Header Size:40
    Number of Section Headers:14
    Header String Table Index:13

    Sections

    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x101140x1140x220x00x6AX001
    .textPROGBITS0x101380x1380x10e600x00x6AX004
    .finiPROGBITS0x20f980x10f980x160x00x6AX001
    .rodataPROGBITS0x20fb00x10fb00x8f0c0x00x2A004
    .tbssNOBITS0x2dfe00x19fe00x80x00x403WAT004
    .fini_arrayFINI_ARRAY0x2dfe00x19fe00x40x40x3WA004
    .ctorsPROGBITS0x2dfe40x19fe40x80x00x3WA004
    .dtorsPROGBITS0x2dfec0x19fec0x80x00x3WA004
    .gotPROGBITS0x2dff40x19ff40x80x00x3WA004
    .dataPROGBITS0x2e0080x1a0080x24c0x00x3WA004
    .bssNOBITS0x2e2540x1a2540x3c800x00x3WA004
    .ARC.attributes<unknown>0x00x1a2540x320x00x0001
    .shstrtabSTRTAB0x00x1a2860x650x00x0001

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x100000x100000x19ebc0x19ebc6.61680x5R E0x2000.init .text .fini .rodata
    LOAD0x19fe00x2dfe00x2dfe00x2740x3ef43.81090x6RW 0x2000.tbss .fini_array .ctors .dtors .got .data .bss
    NOTE0x00x00x00x00x00.00000x4R 0x4
    TLS0x19fe00x2dfe00x2dfe00x00x80.00000x4R 0x4.tbss
    GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

    Network Behavior

    No network behavior found

    System Behavior