Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1528825
MD5:e80f9e86ce0f05c999934c5047ff2312
SHA1:890a8ecd237edd11622af2e0b4ae7c8fa7e68ab4
SHA256:a3db841fa630a75dde27d23e03c350f14356dbd6f8b03eed535584229d0a677a
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1528825
Start date and time:2024-10-08 11:27:12 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal52.evad.linELF@0/0@2/0

Runtime Messages

Command:/tmp/na.elf
PID:5500
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5500, Parent: 5425, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/na.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: na.elfVirustotal: Detection: 46%Perma Link
Source: na.elfReversingLabs: Detection: 39%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: na.elfString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x8000
Source: classification engineClassification label: mal52.evad.linELF@0/0@2/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: na.elfSubmission file: segment LOAD with 7.9718 entropy (max. 8.0)
Source: /tmp/na.elf (PID: 5500)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5500.1.00007ffce704f000.00007ffce7070000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5500.1.00005647c44f1000.00005647c46bf000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5500.1.00007ffce704f000.00007ffce7070000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: na.elf, 5500.1.00005647c44f1000.00005647c46bf000.rw-.sdmpBinary or memory string: GV!/etc/qemu-binfmt/arm
Source: na.elf, 5500.1.00007ffce704f000.00007ffce7070000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf47%VirustotalBrowse
na.elf39%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netna.elftrue
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
daisy.ubuntu.comna.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):7.969920084399512
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:na.elf
File size:40'444 bytes
MD5:e80f9e86ce0f05c999934c5047ff2312
SHA1:890a8ecd237edd11622af2e0b4ae7c8fa7e68ab4
SHA256:a3db841fa630a75dde27d23e03c350f14356dbd6f8b03eed535584229d0a677a
SHA512:4e39e28704d7e128525ebfd577656e1d165eb06760e3f234c822c7f4b79da926514c2372cd95db36d117b124e625010a58e32a59d1fd314ecd5d0a9d7aaafd94
SSDEEP:768:sOTlUycTF2MYPAT1N5ZLd8GApq/s3mtVtKqR/KjJwBl9q3UELr1:tTlUPpbTlZL2GCqMmtVLoJwB4LB
TLSH:8B03F146DB3276A4BDA18EB9E2740B73B35406EAC1BB7437B4A2033859C74321F980D3
File Content Preview:.ELF..............(.........4...........4. ...(.........................................@...@...@...................Q.td...............................aUPX!........4f..4f......R..........?.E.h;....#..$..1).~.X..U.lYIn.(.r}!^R.......|...... T...p.f.....EkM

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:ARM
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - Linux
ABI Version:0
Entry Point Address:0x10ad8
Flags:0x4000002
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:0
Section Header Size:40
Number of Section Headers:0
Header String Table Index:0

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x80000x80000x9cc50x9cc57.97180x5R E0x8000
LOAD0x9400x309400x309400x00x00.00000x6RW 0x8000
GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 8, 2024 11:28:02.158152103 CEST5298653192.168.2.141.1.1.1
Oct 8, 2024 11:28:02.158195019 CEST5916353192.168.2.141.1.1.1
Oct 8, 2024 11:28:02.165929079 CEST53529861.1.1.1192.168.2.14
Oct 8, 2024 11:28:02.166321993 CEST53591631.1.1.1192.168.2.14

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Oct 8, 2024 11:28:02.158152103 CEST192.168.2.141.1.1.10x151cStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
Oct 8, 2024 11:28:02.158195019 CEST192.168.2.141.1.1.10x884Standard query (0)daisy.ubuntu.com28IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 8, 2024 11:28:02.165929079 CEST1.1.1.1192.168.2.140x151cNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
Oct 8, 2024 11:28:02.165929079 CEST1.1.1.1192.168.2.140x151cNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

System Behavior

General

Start time (UTC):09:27:59
Start date (UTC):08/10/2024
Path:/tmp/na.elf
Arguments:/tmp/na.elf
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities