Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1530552
MD5:784a35815074f518c0ca7f5f46ea636c
SHA1:5aa11310e97ce24ba7e5388823f12069ed17013b
SHA256:120d534136359bc888e60905e4139f671f9f55fed8ed643cfe4793d77b3d18c0
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1530552
Start date and time:2024-10-10 09:53:57 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 36s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal64.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: na.elf

Runtime Messages

Command:/tmp/na.elf
PID:5513
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5513, Parent: 5427, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/na.elf
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
na.elfLinux_Packer_Patched_UPX_62e11c64unknownunknown
  • 0x78:$a: 55 50 58 21 30 0A 0D 1E 00 00 00 00 00 00 00 00 00 00 00 00

Memory Dumps

SourceRuleDescriptionAuthorStrings
5513.1.00007f5d48400000.00007f5d48422000.r-x.sdmpLinux_Packer_Patched_UPX_62e11c64unknownunknown
  • 0x78:$a: 55 50 58 21 30 0A 0D 1E 00 00 00 00 00 00 00 00 00 00 00 00

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: na.elfAvira: detected
Multi AV Scanner detection for submitted file
Source: na.elfReversingLabs: Detection: 52%
Source: global trafficTCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: na.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Source: 5513.1.00007f5d48400000.00007f5d48422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Source: LOAD without section mappingsProgram segment: 0x400000
Source: na.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: 5513.1.00007f5d48400000.00007f5d48422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: classification engineClassification label: mal64.linELF@0/0@2/0
Source: na.elfSubmission file: segment LOAD with 7.781 entropy (max. 8.0)
Source: /tmp/na.elf (PID: 5513)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5513.1.0000561a43bba000.0000561a43c41000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: na.elf, 5513.1.0000561a43bba000.0000561a43c41000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/mipsel
Source: na.elf, 5513.1.00007ffdab828000.00007ffdab849000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: na.elf, 5513.1.00007ffdab828000.00007ffdab849000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel
Source: na.elf, 5513.1.00007ffdab828000.00007ffdab849000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf53%ReversingLabsLinux.Backdoor.Mirai
na.elf100%AviraLINUX/Mirai.bykwm

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    185.125.190.26
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    185.125.190.26na.elfGet hashmaliciousUnknownBrowse
      oQoQiI0Pdz.elfGet hashmaliciousUnknownBrowse
        na.elfGet hashmaliciousGafgytBrowse
          na.elfGet hashmaliciousUnknownBrowse
            na.elfGet hashmaliciousUnknownBrowse
              5skkMenK5x.elfGet hashmaliciousMiraiBrowse
                gMYQFxufu0.elfGet hashmaliciousMiraiBrowse
                  4LbWi40g57.elfGet hashmaliciousUnknownBrowse
                    na.elfGet hashmaliciousUnknownBrowse
                      na.elfGet hashmaliciousUnknownBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comna.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        na.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        na.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        na.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        na.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        na.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        na.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        na.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        na.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        na.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CANONICAL-ASGBna.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousUnknownBrowse
                        • 185.125.190.26
                        na.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                        • 91.189.91.42
                        SecuriteInfo.com.ELF.Mirai-AJJ.10901.28787.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                        Entropy (8bit):7.7809933392332065
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:na.elf
                        File size:41'760 bytes
                        MD5:784a35815074f518c0ca7f5f46ea636c
                        SHA1:5aa11310e97ce24ba7e5388823f12069ed17013b
                        SHA256:120d534136359bc888e60905e4139f671f9f55fed8ed643cfe4793d77b3d18c0
                        SHA512:f1d98198ed1d45753c42d8c51d1f6d21ab6ba8e5f90bef7194d7eb00604fdbd3c4b41380c9e49d8c88df2ba414f53d9885b3e86c76598eac033f3d9a44627242
                        SSDEEP:768:TDoQtBTX941eYFDgNbl5PatCbYUmQAvv/wY24kDpg4A1:XtBTX941eYF8Nblpuvnwa1
                        TLSH:E413F2982F13458BC43224BBB54ADC557CC71F1A341F48AC15BAD5798AF321CA6F9326
                        File Content Preview:.ELF....................p.B.4...........4. ...(...............@...@...........................C...C....../..............UPX!0...................]........?d..ELF.......`.@.....4.p....... ...(.....-....@......n'.......H..._....=..Q.td.............@.........

                        Static ELF Info

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:MIPS R3000
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - System V
                        ABI Version:0
                        Entry Point Address:0x420d70
                        Flags:0x1007
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:2
                        Section Header Offset:0
                        Section Header Size:40
                        Number of Section Headers:0
                        Header String Table Index:0

                        Program Segments

                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x4000000x4000000x217960x217967.78100x5R E0x10000
                        LOAD0x00x4300000x4300000x00x92f180.00000x6RW 0x10000

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 10, 2024 09:55:01.375112057 CEST46540443192.168.2.14185.125.190.26
                        Oct 10, 2024 09:55:31.837960958 CEST46540443192.168.2.14185.125.190.26

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 10, 2024 09:54:55.012491941 CEST4946253192.168.2.148.8.8.8
                        Oct 10, 2024 09:54:55.012491941 CEST4957953192.168.2.148.8.8.8
                        Oct 10, 2024 09:54:55.066688061 CEST53495798.8.8.8192.168.2.14
                        Oct 10, 2024 09:54:55.066912889 CEST53494628.8.8.8192.168.2.14

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 10, 2024 09:54:55.012491941 CEST192.168.2.148.8.8.80xa208Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Oct 10, 2024 09:54:55.012491941 CEST192.168.2.148.8.8.80xc806Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 10, 2024 09:54:55.066912889 CEST8.8.8.8192.168.2.140xa208No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Oct 10, 2024 09:54:55.066912889 CEST8.8.8.8192.168.2.140xa208No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):07:54:52
                        Start date (UTC):10/10/2024
                        Path:/tmp/na.elf
                        Arguments:/tmp/na.elf
                        File size:5773336 bytes
                        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                        Chronological Activities