Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1530539
MD5:e52014f7cb62427bc745c6b2f4ddcd78
SHA1:27cdbbbc637d1d5da9d91a60ce556df6a4cf62eb
SHA256:8b9f56ce51585b0b453096e1600c20976ce8de625e6c2034961feda858f986f6
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1530539
Start date and time:2024-10-10 09:40:34 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal76.troj.evad.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: na.elf

Runtime Messages

Command:/tmp/na.elf
PID:5483
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5483, Parent: 5409, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/na.elf
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5483.1.00007f232c017000.00007f232c02e000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    5483.1.00007f232c017000.00007f232c02e000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
      5483.1.00007f232c017000.00007f232c02e000.r-x.sdmpMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
      • 0x152b8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
      Process Memory Space: na.elf PID: 5483JoeSecurity_Mirai_9Yara detected MiraiJoe Security

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: na.elfReversingLabs: Detection: 60%
        Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
        Source: na.elfString found in binary or memory: http://upx.sf.net

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 5483.1.00007f232c017000.00007f232c02e000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: LOAD without section mappingsProgram segment: 0x8000
        Source: 5483.1.00007f232c017000.00007f232c02e000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: classification engineClassification label: mal76.troj.evad.linELF@0/0@2/0

        Data Obfuscation

        barindex
        Sample is packed with UPX
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: na.elfSubmission file: segment LOAD with 7.9642 entropy (max. 8.0)
        Source: /tmp/na.elf (PID: 5483)Queries kernel information via 'uname': Jump to behavior
        Source: na.elf, 5483.1.00007ffeb8199000.00007ffeb81ba000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
        Source: na.elf, 5483.1.0000559cea1bd000.0000559cea3ab000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
        Source: na.elf, 5483.1.0000559cea1bd000.0000559cea3ab000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: na.elf, 5483.1.00007ffeb8199000.00007ffeb81ba000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
        Source: na.elf, 5483.1.00007ffeb8199000.00007ffeb81ba000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

        Stealing of Sensitive Information

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: 5483.1.00007f232c017000.00007f232c02e000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: na.elf PID: 5483, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: 5483.1.00007f232c017000.00007f232c02e000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: na.elf PID: 5483, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
        Obfuscated Files or Information        		OS Credential Dumping11
        Security Software Discovery        		Remote ServicesData from Local System1
        Non-Application Layer Protocol        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service

        Malware Configuration

        No configs have been found

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        na.elf61%ReversingLabsLinux.Trojan.Mirai

        Dropped Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://upx.sf.net0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        daisy.ubuntu.com
        		162.213.35.24
        		truefalse
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://upx.sf.netna.elftrue
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          No contacted IP infos

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          daisy.ubuntu.comna.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.25
          na.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.25
          na.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.24
          na.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.24
          na.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.25
          na.elfGet hashmaliciousUnknownBrowse
          • 162.213.35.24
          na.elfGet hashmaliciousUnknownBrowse
          • 162.213.35.25
          na.elfGet hashmaliciousUnknownBrowse
          • 162.213.35.25
          na.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.25
          na.elfGet hashmaliciousMiraiBrowse
          • 162.213.35.25

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
          Entropy (8bit):7.97805967552202
          TrID:
          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
          File name:na.elf
          File size:52'520 bytes
          MD5:e52014f7cb62427bc745c6b2f4ddcd78
          SHA1:27cdbbbc637d1d5da9d91a60ce556df6a4cf62eb
          SHA256:8b9f56ce51585b0b453096e1600c20976ce8de625e6c2034961feda858f986f6
          SHA512:4e284e3b093e7ee2786dccf1ba5dc257073ea6c8bba0bb06fb52b96875f91c0459a6ab9df4e4d672818571e88df36d5887b6af1b9fb5bb09f7a28b89fd6441dc
          SSDEEP:1536:69O/ZMAXIxNUk0uQhLcPqF1aBexo4opKZbV:69O/ZNKythLGqFUFI
          TLSH:CD3302626B7E25E192B04773FC33EC5B679C16B98D67309728F0661977C58024EF2682
          File Content Preview:.ELF..............(.........4...........4. ...(.....................................................................Q.td............................>. NUPX!.........2...2......j..........?.E.h;....#..$...o...T[_.....*).......X...hb..F.....(........e...p..

          Static ELF Info

          ELF header

          Class:ELF32
          Data:2's complement, little endian
          Version:1 (current)
          Machine:ARM
          Version Number:0x1
          Type:EXEC (Executable file)
          OS/ABI:UNIX - Linux
          ABI Version:0
          Entry Point Address:0xffa0
          Flags:0x4000002
          ELF Header Size:52
          Program Header Offset:52
          Program Header Size:32
          Number of Program Headers:3
          Section Header Offset:0
          Section Header Size:40
          Number of Section Headers:0
          Header String Table Index:0

          Program Segments

          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
          LOAD0x00x80000x80000x918d0x918d7.96420x5R E0x8000
          LOAD0x17940x297940x297940x00x00.00000x6RW 0x8000
          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

          Network Behavior

          Network Port Distribution

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 10, 2024 09:41:16.837286949 CEST3362353192.168.2.148.8.8.8
          Oct 10, 2024 09:41:16.837356091 CEST5324353192.168.2.148.8.8.8
          Oct 10, 2024 09:41:16.843627930 CEST53336238.8.8.8192.168.2.14
          Oct 10, 2024 09:41:16.843652010 CEST53532438.8.8.8192.168.2.14

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Oct 10, 2024 09:41:16.837286949 CEST192.168.2.148.8.8.80x85faStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
          Oct 10, 2024 09:41:16.837356091 CEST192.168.2.148.8.8.80x4bb9Standard query (0)daisy.ubuntu.com28IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Oct 10, 2024 09:41:16.843627930 CEST8.8.8.8192.168.2.140x85faNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
          Oct 10, 2024 09:41:16.843627930 CEST8.8.8.8192.168.2.140x85faNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

          System Behavior

          General

          Start time (UTC):07:41:14
          Start date (UTC):10/10/2024
          Path:/tmp/na.elf
          Arguments:/tmp/na.elf
          File size:4956856 bytes
          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

          Chronological Activities