Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1528837
MD5:15e9f234d683856940f418eb5250daaa
SHA1:081c0e34cc2848727eb47296b0f8e83486ec5a57
SHA256:2aec5415870068d35a7d908974ad5e95331a5141dc199a71800200fd9ac42fbf
Tags:elfuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1528837
Start date and time:2024-10-08 11:35:33 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 18s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal64.linELF@0/0@2/0

Runtime Messages

Command:/tmp/na.elf
PID:5525
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5525, Parent: 5451, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/na.elf
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
na.elfLinux_Packer_Patched_UPX_62e11c64unknownunknown
  • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00

Memory Dumps

SourceRuleDescriptionAuthorStrings
5525.1.00007f1e70400000.00007f1e70422000.r-x.sdmpLinux_Packer_Patched_UPX_62e11c64unknownunknown
  • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: na.elfAvira: detected
Multi AV Scanner detection for submitted file
Source: na.elfReversingLabs: Detection: 36%
Source: na.elfVirustotal: Detection: 35%Perma Link
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: na.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Source: 5525.1.00007f1e70400000.00007f1e70422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Source: LOAD without section mappingsProgram segment: 0x400000
Source: na.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: 5525.1.00007f1e70400000.00007f1e70422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: classification engineClassification label: mal64.linELF@0/0@2/0
Source: na.elfSubmission file: segment LOAD with 7.7838 entropy (max. 8.0)
Source: /tmp/na.elf (PID: 5525)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5525.1.00007ffdd17b8000.00007ffdd17d9000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5525.1.0000556403275000.00005564032fc000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: na.elf, 5525.1.0000556403275000.00005564032fc000.rw-.sdmpBinary or memory string: dU!/etc/qemu-binfmt/mips
Source: na.elf, 5525.1.00007ffdd17b8000.00007ffdd17d9000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: na.elf, 5525.1.00007ffdd17b8000.00007ffdd17d9000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf37%ReversingLabsLinux.Trojan.Dakkatoni
na.elf35%VirustotalBrowse
na.elf100%AviraLINUX/Siggen.mceaf

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
daisy.ubuntu.comna.elfGet hashmaliciousMiraiBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):7.783753930370325
TrID:
  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:na.elf
File size:101'360 bytes
MD5:15e9f234d683856940f418eb5250daaa
SHA1:081c0e34cc2848727eb47296b0f8e83486ec5a57
SHA256:2aec5415870068d35a7d908974ad5e95331a5141dc199a71800200fd9ac42fbf
SHA512:cc3313359f02066584f8351705e07b294df04cf4b7b6e98eb75d34bdadc224e86883d67717850f79846f2bf4603721812d21f6009061889281f60df1aae466c4
SSDEEP:1536:pxpJNlEYvXndUt/afLuZmVelu9eoCtcCCzNbC4RWC0CQFW3RLlNCzgb0OmfPnm:phNlHuBafLeBtfCzpta8xlBIOp
TLSH:91A3120ABF35DD0ADB1008B727DA9E8EDC6D7B6A42CBB8B46DC2948F57810C97853205
File Content Preview:.ELF.....................B.....4.........4. ...(.............@...@...........................C...C......../..........*.*UPX!.X.....................^....|.$..ELF..........@.`....4...0... ...(......<...@......[v......H...`.t..;_...dt.Q.....].M..............

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, big endian
Version:1 (current)
Machine:MIPS R3000
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x4206a8
Flags:0x1007
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:2
Section Header Offset:0
Section Header Size:40
Number of Section Headers:0
Header String Table Index:0

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x4000000x4000000x210f20x210f27.78380x5R E0x10000
LOAD0x00x4300000x4300000x00x92fd80.00000x6RW 0x10000

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 8, 2024 11:36:16.744204998 CEST4198753192.168.2.151.1.1.1
Oct 8, 2024 11:36:16.744307041 CEST5950753192.168.2.151.1.1.1
Oct 8, 2024 11:36:16.776547909 CEST53419871.1.1.1192.168.2.15
Oct 8, 2024 11:36:16.776711941 CEST53595071.1.1.1192.168.2.15

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Oct 8, 2024 11:36:16.744204998 CEST192.168.2.151.1.1.10xe4e4Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
Oct 8, 2024 11:36:16.744307041 CEST192.168.2.151.1.1.10x25Standard query (0)daisy.ubuntu.com28IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 8, 2024 11:36:16.776547909 CEST1.1.1.1192.168.2.150xe4e4No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
Oct 8, 2024 11:36:16.776547909 CEST1.1.1.1192.168.2.150xe4e4No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

System Behavior

General

Start time (UTC):09:36:13
Start date (UTC):08/10/2024
Path:/tmp/na.elf
Arguments:/tmp/na.elf
File size:5777432 bytes
MD5 hash:0083f1f0e77be34ad27f849842bbb00c

Chronological Activities