Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1527088
MD5:137de3e8da2c676dfa376710d85673e2
SHA1:3f1b5f0aaf135e63605d6635feb2d202bb8a57a8
SHA256:687e099d9dd3f9bbf9d17bea0039c070783655bdb13782c9d9deb1f87febc88b
Tags:elfuser-abuse_ch

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1527088
Start date and time:2024-10-06 20:59:30 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 14s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: na.elf

Runtime Messages

Command:/tmp/na.elf
PID:5511
Exit Code:1
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5511, Parent: 5435, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/na.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: na.elfReversingLabs: Detection: 50%
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /tmp/na.elf (PID: 5511)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5511.1.0000557ebd456000.0000557ebd4bb000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sparc
Source: na.elf, 5511.1.00007ffd0d3dd000.00007ffd0d3fe000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sparc/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5511.1.00007ffd0d3dd000.00007ffd0d3fe000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sparc
Source: na.elf, 5511.1.0000557ebd456000.0000557ebd4bb000.rw-.sdmpBinary or memory string: ~U!/etc/qemu-binfmt/sparc

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf50%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):6.050536761899086
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:na.elf
File size:75'280 bytes
MD5:137de3e8da2c676dfa376710d85673e2
SHA1:3f1b5f0aaf135e63605d6635feb2d202bb8a57a8
SHA256:687e099d9dd3f9bbf9d17bea0039c070783655bdb13782c9d9deb1f87febc88b
SHA512:df63ba71d292bca5ed769409c9f652b31364b17a98fa690c7a97e4407c456b95da3667ba42c3bd0b0284804b03fddf2b6e177773d1ac5c358890185858955899
SSDEEP:768:TslJRpQITMd56nT7vZXY9QYc0jz5ZS+O+lM5VVji1h91t39tIdP:TSJRpQIId56fvZo9Q/0jFZ9lM5Ktv6
TLSH:9B735C22BA761E17C4C1697A61F74764F2F5578A25ACCA0E7D720E8EFF3064032936B4
File Content Preview:.ELF...........................4..$......4. ...(.......................................... ... ... ....@..&X........dt.Q................................@..(....@.@=................#.....`@..`.....!..... ...@.....".........`......$ ... ...@...........`....

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, big endian
Version:1 (current)
Machine:Sparc
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x101a4
Flags:0x0
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:74880
Section Header Size:40
Number of Section Headers:10
Header String Table Index:9

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.initPROGBITS0x100940x940x1c0x00x6AX004
.textPROGBITS0x100b00xb00x1012c0x00x6AX004
.finiPROGBITS0x201dc0x101dc0x140x00x6AX004
.rodataPROGBITS0x201f00x101f00x18c80x00x2A008
.ctorsPROGBITS0x320000x120000x80x00x3WA004
.dtorsPROGBITS0x320080x120080x80x00x3WA004
.dataPROGBITS0x320180x120180x4280x00x3WA008
.bssNOBITS0x324400x124400x22180x00x3WA008
.shstrtabSTRTAB0x00x124400x3e0x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x100000x100000x11ab80x11ab86.14600x5R E0x10000.init .text .fini .rodata
LOAD0x120000x320000x320000x4400x26583.38050x6RW 0x10000.ctors .dtors .data .bss
GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

Network Behavior

No network behavior found

System Behavior

General

Start time (UTC):19:00:10
Start date (UTC):06/10/2024
Path:/tmp/na.elf
Arguments:/tmp/na.elf
File size:4379400 bytes
MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities