Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1530547
MD5:0381e1bb451047fd5c7d60720f284532
SHA1:9700458bc797c2f03c56c29d7d4d84488d3cffd6
SHA256:890a0afc386808d8827ff440c09f4c73aeb3eb8275d03e6535a2bbaf7bc92640
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1530547
Start date and time:2024-10-10 09:49:30 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal52.troj.linELF@0/0@3/0

Runtime Messages

Command:/tmp/na.elf
PID:5483
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
thIs wEek on xLaB lEarNs nOthinG xd
Standard Error:

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5483, Parent: 5408, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/na.elf
    • na.elf New Fork (PID: 5485, Parent: 5483)
    • na.elf New Fork (PID: 5487, Parent: 5483)
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: na.elfReversingLabs: Detection: 28%
Source: na.elfVirustotal: Detection: 19%Perma Link
Source: na.elfString: ash|login|wget|curl|tftp|ntpdate
Source: na.elfString: /proc//exe|ash|login|wget|curl|tftp|ntpdate/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin/

Networking

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 154.90.62.142 ports 1,2,5,6,7,27651
Source: global trafficTCP traffic: 192.168.2.14:44250 -> 154.90.62.142:27651
Source: /tmp/na.elf (PID: 5483)Socket: 127.0.0.1:1234Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 116.203.104.203
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: kr2ddnsnet.dyn
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/0@3/0
Source: /tmp/na.elf (PID: 5483)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5483.1.00007ffda4511000.00007ffda4532000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-ppc/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5483.1.0000557be6e40000.0000557be6ef0000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc1
Source: na.elf, 5483.1.0000557be6e40000.0000557be6ef0000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
Source: na.elf, 5483.1.00007ffda4511000.00007ffda4532000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		Path InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530547 Sample: na.elf Startdate: 10/10/2024 Architecture: LINUX Score: 52 13 kr2ddnsnet.dyn 154.90.62.142, 27651, 44250 CNSERVERSUS Seychelles 2->13 15 daisy.ubuntu.com 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Connects to many ports of the same IP (likely port scanning) 2->19 7 na.elf 2->7         started        signatures3 process4 process5 9 na.elf 7->9         started        11 na.elf 7->11         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf29%ReversingLabsLinux.Backdoor.Mirai
na.elf19%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse
kr2ddnsnet.dyn0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalseunknown
kr2ddnsnet.dyn
154.90.62.142
truetrueunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
154.90.62.142
kr2ddnsnet.dynSeychelles
40065CNSERVERSUStrue

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
154.90.62.142na.elfGet hashmaliciousUnknownBrowse
    na.elfGet hashmaliciousUnknownBrowse
      na.elfGet hashmaliciousUnknownBrowse
        na.elfGet hashmaliciousUnknownBrowse
          na.elfGet hashmaliciousUnknownBrowse
            NLHiAJgSnj.elfGet hashmaliciousUnknownBrowse
              na.elfGet hashmaliciousUnknownBrowse
                na.elfGet hashmaliciousUnknownBrowse
                  na.elfGet hashmaliciousUnknownBrowse
                    na.elfGet hashmaliciousUnknownBrowse

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      daisy.ubuntu.comna.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.24
                      na.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.25
                      na.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.24
                      na.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.24
                      na.elfGet hashmaliciousMiraiBrowse
                      • 162.213.35.25
                      na.elfGet hashmaliciousMiraiBrowse
                      • 162.213.35.24
                      na.elfGet hashmaliciousMiraiBrowse
                      • 162.213.35.25
                      na.elfGet hashmaliciousMiraiBrowse
                      • 162.213.35.25
                      na.elfGet hashmaliciousMiraiBrowse
                      • 162.213.35.24
                      na.elfGet hashmaliciousMiraiBrowse
                      • 162.213.35.24
                      kr2ddnsnet.dynna.elfGet hashmaliciousUnknownBrowse
                      • 154.90.62.142
                      SecuriteInfo.com.Linux.Mirai.5660.5605.13970.elfGet hashmaliciousUnknownBrowse
                      • 154.90.63.69
                      SecuriteInfo.com.Linux.Mirai.5075.8943.20322.elfGet hashmaliciousUnknownBrowse
                      • 154.90.63.69
                      SecuriteInfo.com.Linux.Mirai.5074.27008.26400.elfGet hashmaliciousUnknownBrowse
                      • 154.90.63.69

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CNSERVERSUSna.elfGet hashmaliciousUnknownBrowse
                      • 154.90.62.142
                      na.elfGet hashmaliciousUnknownBrowse
                      • 154.90.62.142
                      na.elfGet hashmaliciousUnknownBrowse
                      • 154.90.62.142
                      na.elfGet hashmaliciousUnknownBrowse
                      • 154.90.62.142
                      na.elfGet hashmaliciousUnknownBrowse
                      • 154.90.62.142
                      9b7dlGj5Gq.exeGet hashmaliciousFormBookBrowse
                      • 198.16.50.171
                      lPX6PixV4t.exeGet hashmaliciousFormBookBrowse
                      • 23.224.37.78
                      na.elfGet hashmaliciousMiraiBrowse
                      • 23.224.58.152
                      NLHiAJgSnj.elfGet hashmaliciousUnknownBrowse
                      • 154.90.62.142
                      fJD7ivEnzm.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
                      Entropy (8bit):6.091666421172553
                      TrID:
                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                      File name:na.elf
                      File size:47'332 bytes
                      MD5:0381e1bb451047fd5c7d60720f284532
                      SHA1:9700458bc797c2f03c56c29d7d4d84488d3cffd6
                      SHA256:890a0afc386808d8827ff440c09f4c73aeb3eb8275d03e6535a2bbaf7bc92640
                      SHA512:67aa9a63e1f5ab19db8380c78218ee43883c59bef44dc59c27eed4d1201ec66efff4deda79fdad936a44e227b08242726e898abdef9ffb7a801f22831d72459b
                      SSDEEP:768:ySvZRH1GubDcxxQZ18wbo3O97ZqHPlWXsonaz2LM/Vq4MGlzAsmp:lDccZ83O97ZqvlWJHIdq4MMzA/p
                      TLSH:A7230842B71C0547C1762EB0363B17E0D3EBAAD222A4F388751FAB4AC1B1D376546E9D
                      File Content Preview:.ELF...........................4.........4. ...(..........................................................ET........dt.Q.............................!..|......$H...H..1...$8!. |...N.. .!..|.......?..........H..../...@..\?........+../...A..$8...})......N..

                      Static ELF Info

                      ELF header

                      Class:ELF32
                      Data:2's complement, big endian
                      Version:1 (current)
                      Machine:PowerPC
                      Version Number:0x1
                      Type:EXEC (Executable file)
                      OS/ABI:UNIX - System V
                      ABI Version:0
                      Entry Point Address:0x100001f0
                      Flags:0x0
                      ELF Header Size:52
                      Program Header Offset:52
                      Program Header Size:32
                      Number of Program Headers:3
                      Section Header Offset:46852
                      Section Header Size:40
                      Number of Section Headers:12
                      Header String Table Index:11

                      Sections

                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                      NULL0x00x00x00x00x0000
                      .initPROGBITS0x100000940x940x240x00x6AX004
                      .textPROGBITS0x100000b80xb80xa9880x00x6AX004
                      .finiPROGBITS0x1000aa400xaa400x200x00x6AX004
                      .rodataPROGBITS0x1000aa600xaa600x96c0x00x2A004
                      .ctorsPROGBITS0x1001b3d00xb3d00x80x00x3WA004
                      .dtorsPROGBITS0x1001b3d80xb3d80x80x00x3WA004
                      .dataPROGBITS0x1001b3e80xb3e80x2b40x00x3WA008
                      .sdataPROGBITS0x1001b69c0xb69c0x1c0x00x3WA004
                      .sbssNOBITS0x1001b6b80xb6b80x900x00x3WA004
                      .bssNOBITS0x1001b7480xb6b80x41dc0x00x3WA004
                      .shstrtabSTRTAB0x00xb6b80x4b0x00x0001

                      Program Segments

                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                      LOAD0x00x100000000x100000000xb3cc0xb3cc6.13310x5R E0x10000.init .text .fini .rodata
                      LOAD0xb3d00x1001b3d00x1001b3d00x2e80x45543.78090x6RW 0x10000.ctors .dtors .data .sdata .sbss .bss
                      GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 10, 2024 09:50:17.451173067 CEST4425027651192.168.2.14154.90.62.142
                      Oct 10, 2024 09:50:17.456191063 CEST2765144250154.90.62.142192.168.2.14
                      Oct 10, 2024 09:50:17.456269979 CEST4425027651192.168.2.14154.90.62.142
                      Oct 10, 2024 09:50:17.466814041 CEST4425027651192.168.2.14154.90.62.142
                      Oct 10, 2024 09:50:17.471765995 CEST2765144250154.90.62.142192.168.2.14
                      Oct 10, 2024 09:50:32.478275061 CEST4425027651192.168.2.14154.90.62.142
                      Oct 10, 2024 09:50:32.483530998 CEST2765144250154.90.62.142192.168.2.14
                      Oct 10, 2024 09:50:56.117906094 CEST2765144250154.90.62.142192.168.2.14
                      Oct 10, 2024 09:50:56.118135929 CEST4425027651192.168.2.14154.90.62.142
                      Oct 10, 2024 09:51:47.287779093 CEST2765144250154.90.62.142192.168.2.14
                      Oct 10, 2024 09:51:47.287969112 CEST4425027651192.168.2.14154.90.62.142
                      Oct 10, 2024 09:52:16.147278070 CEST2765144250154.90.62.142192.168.2.14
                      Oct 10, 2024 09:52:16.147726059 CEST4425027651192.168.2.14154.90.62.142
                      Oct 10, 2024 09:52:31.160361052 CEST4425027651192.168.2.14154.90.62.142
                      Oct 10, 2024 09:52:31.165299892 CEST2765144250154.90.62.142192.168.2.14
                      Oct 10, 2024 09:53:32.316169977 CEST2765144250154.90.62.142192.168.2.14
                      Oct 10, 2024 09:53:32.316431999 CEST4425027651192.168.2.14154.90.62.142
                      Oct 10, 2024 09:53:46.182831049 CEST2765144250154.90.62.142192.168.2.14
                      Oct 10, 2024 09:53:46.183129072 CEST4425027651192.168.2.14154.90.62.142

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 10, 2024 09:50:17.434999943 CEST4926053192.168.2.14116.203.104.203
                      Oct 10, 2024 09:50:17.445116043 CEST5349260116.203.104.203192.168.2.14
                      Oct 10, 2024 09:52:57.511590004 CEST4317453192.168.2.141.1.1.1
                      Oct 10, 2024 09:52:57.511966944 CEST5999853192.168.2.141.1.1.1
                      Oct 10, 2024 09:52:57.518682003 CEST53599981.1.1.1192.168.2.14
                      Oct 10, 2024 09:52:57.519337893 CEST53431741.1.1.1192.168.2.14

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Oct 10, 2024 09:50:17.434999943 CEST192.168.2.14116.203.104.2030xf73Standard query (0)kr2ddnsnet.dynA (IP address)IN (0x0001)false
                      Oct 10, 2024 09:52:57.511590004 CEST192.168.2.141.1.1.10x6bd6Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                      Oct 10, 2024 09:52:57.511966944 CEST192.168.2.141.1.1.10x5fefStandard query (0)daisy.ubuntu.com28IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Oct 10, 2024 09:50:17.445116043 CEST116.203.104.203192.168.2.140xf73No error (0)kr2ddnsnet.dyn154.90.62.142A (IP address)IN (0x0001)false
                      Oct 10, 2024 09:52:57.519337893 CEST1.1.1.1192.168.2.140x6bd6No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                      Oct 10, 2024 09:52:57.519337893 CEST1.1.1.1192.168.2.140x6bd6No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                      System Behavior

                      General

                      Start time (UTC):07:50:15
                      Start date (UTC):10/10/2024
                      Path:/tmp/na.elf
                      Arguments:/tmp/na.elf
                      File size:5388968 bytes
                      MD5 hash:ae65271c943d3451b7f026d1fadccea6

                      Chronological Activities


                      General

                      Start time (UTC):07:50:16
                      Start date (UTC):10/10/2024
                      Path:/tmp/na.elf
                      Arguments:-
                      File size:5388968 bytes
                      MD5 hash:ae65271c943d3451b7f026d1fadccea6

                      Chronological Activities


                      General

                      Start time (UTC):07:50:16
                      Start date (UTC):10/10/2024
                      Path:/tmp/na.elf
                      Arguments:-
                      File size:5388968 bytes
                      MD5 hash:ae65271c943d3451b7f026d1fadccea6

                      Chronological Activities