Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
SecuriteInfo.com.Trojan.Linux.Generic.23983.22081.elf

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Linux.Generic.23983.22081.elf
Analysis ID:1531111
MD5:3739084706d8decc84e4fda6844769bb
SHA1:742750211a32a79392d6ae008069319ccacd5622
SHA256:39a16f216420b04becc39d9b6d9c50c521490f097e6bd7df9e5dd9c0255e65f9
Tags:elf
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false

Signatures

Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1531111
Start date and time:2024-10-10 21:28:23 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:SecuriteInfo.com.Trojan.Linux.Generic.23983.22081.elf
Detection:CLEAN
Classification:clean1.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: SecuriteInfo.com.Trojan.Linux.Generic.23983.22081.elf

Runtime Messages

Command:/tmp/SecuriteInfo.com.Trojan.Linux.Generic.23983.22081.elf
PID:5435
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: global trafficTCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: clean1.linELF@0/0@2/0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Linux.Generic.23983.22081.elf8%ReversingLabs

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    185.125.190.26
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    185.125.190.26VLi6LJSker.elfGet hashmaliciousMiraiBrowse
      17CiAkKMyC.elfGet hashmaliciousGafgyt, MiraiBrowse
        fNR6GoKo15.elfGet hashmaliciousMiraiBrowse
          na.elfGet hashmaliciousUnknownBrowse
            na.elfGet hashmaliciousUnknownBrowse
              na.elfGet hashmaliciousUnknownBrowse
                na.elfGet hashmaliciousUnknownBrowse
                  na.elfGet hashmaliciousUnknownBrowse
                    oQoQiI0Pdz.elfGet hashmaliciousUnknownBrowse
                      na.elfGet hashmaliciousGafgytBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comSecuriteInfo.com.Trojan.Linux.GenericKD.24480.17315.19960.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        1Yd49lT5sX.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        hOLZtATFdS.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        MzvEzhTtYW.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        NBputeIhof.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        0akPYDSlld.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        17CiAkKMyC.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 162.213.35.25
                        fNR6GoKo15.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        maucl6PmW8.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        na.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CANONICAL-ASGB6e1rv1WaB3.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        0XWsq1FRVD.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        oW92qFXhAp.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        VLi6LJSker.elfGet hashmaliciousMiraiBrowse
                        • 185.125.190.26
                        17CiAkKMyC.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 185.125.190.26
                        fNR6GoKo15.elfGet hashmaliciousMiraiBrowse
                        • 185.125.190.26
                        perfcc.elfGet hashmaliciousXmrigBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousUnknownBrowse
                        • 185.125.190.26
                        na.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=dswDAa3Pa96IQXwzNa8o/zXeywE363AvULETAnPZV/Y154CWzX1GhXLGGi1lo3/d4XVZaM2PDAAY5uysyTh, stripped
                        Entropy (8bit):0.41561738201393283
                        TrID:
                        • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
                        • ELF Executable and Linkable format (generic) (4004/1) 49.46%
                        • Lumena CEL bitmap (63/63) 0.78%
                        File name:SecuriteInfo.com.Trojan.Linux.Generic.23983.22081.elf
                        File size:5'435'392 bytes
                        MD5:3739084706d8decc84e4fda6844769bb
                        SHA1:742750211a32a79392d6ae008069319ccacd5622
                        SHA256:39a16f216420b04becc39d9b6d9c50c521490f097e6bd7df9e5dd9c0255e65f9
                        SHA512:a8c76db20e5119fb87afa3949aabaa6f7e0e0039c382ce5df483c8b24183480c47de9658d5f5e69696976b5113a1e99cc2ca3c40cbb237a20e6f10acf4eb0d2a
                        SSDEEP:3072:DLnx0iviZzlhy0XjrSzsNMKaI13Lj9I5uOOcx:fUhjftOpIxLWL
                        TLSH:DE46E89B689550E8D1FEE174862AB206BDB13094073837E32F6146F10F27BF95ABC358
                        File Content Preview:.ELF..............>......9F.....@...................@.8...@.............@.......@.@.....@.@...............................................@.......@.....d.......d.................................@.......@.......).......).......................).......i....

                        Static ELF Info

                        ELF header

                        Class:ELF64
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:Advanced Micro Devices X86-64
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - System V
                        ABI Version:0
                        Entry Point Address:0x4639c0
                        Flags:0x0
                        ELF Header Size:64
                        Program Header Offset:64
                        Program Header Size:56
                        Number of Program Headers:7
                        Section Header Offset:456
                        Section Header Size:64
                        Number of Section Headers:14
                        Header String Table Index:3

                        Sections

                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                        NULL0x00x00x00x00x0000
                        PROGBITS0x4010000x10000x28fbf80x00x6AX0032
                        PROGBITS0x6910000x2910000x1048bc0x00x2A0032
                        STRTAB0x00x3958c00xa50x00x0001
                        PROGBITS0x7959800x3959800x17e40x00x2A0032
                        PROGBITS0x7971800x3971800x9600x00x2A0032
                        PROGBITS0x797ae00x397ae00x00x00x2A001
                        PROGBITS0x797ae00x397ae00x159dd00x00x2A0032
                        PROGBITS0x8f20000x4f20000xe00x00x3WA0016
                        PROGBITS0x8f20e00x4f20e00x313b80x00x3WA0032
                        PROGBITS0x9234a00x5234a00xba300x00x3WA0032
                        NOBITS0x92eee00x52eee00x320c00x00x3WA0032
                        NOBITS0x960fa00x560fa00xf5700x00x3WA0032
                        NOTE0x400f9c0xf9c0x640x00x2A004

                        Program Segments

                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        PHDR0x400x4000400x4000400x1880x1881.63340x4R 0x1000
                        NOTE0xf9c0x400f9c0x400f9c0x640x645.12860x4R 0x4
                        LOAD0x00x4000000x4000000x290bf80x290bf80.77170x5R E0x1000
                        LOAD0x2910000x6910000x6910000x2608b00x2608b00.00000x4R 0x1000
                        LOAD0x4f20000x8f20000x8f20000x3cee00x7e5100.00000x6RW 0x1000
                        GNU_STACK0x00x00x00x00x00.00000x6RW 0x8
                        LOOS+50415800x00x00x00x00x00.00000x2a00 0x8

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 10, 2024 21:29:20.093566895 CEST48202443192.168.2.13185.125.190.26
                        Oct 10, 2024 21:29:50.813858986 CEST48202443192.168.2.13185.125.190.26

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 10, 2024 21:29:12.154855013 CEST5534953192.168.2.131.1.1.1
                        Oct 10, 2024 21:29:12.155167103 CEST5500953192.168.2.131.1.1.1
                        Oct 10, 2024 21:29:12.162837029 CEST53553491.1.1.1192.168.2.13
                        Oct 10, 2024 21:29:12.163794041 CEST53550091.1.1.1192.168.2.13

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 10, 2024 21:29:12.154855013 CEST192.168.2.131.1.1.10xe09aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Oct 10, 2024 21:29:12.155167103 CEST192.168.2.131.1.1.10xade2Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 10, 2024 21:29:12.162837029 CEST1.1.1.1192.168.2.130xe09aNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Oct 10, 2024 21:29:12.162837029 CEST1.1.1.1192.168.2.130xe09aNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):19:29:09
                        Start date (UTC):10/10/2024
                        Path:/tmp/SecuriteInfo.com.Trojan.Linux.Generic.23983.22081.elf
                        Arguments:/tmp/SecuriteInfo.com.Trojan.Linux.Generic.23983.22081.elf
                        File size:5435392 bytes
                        MD5 hash:3739084706d8decc84e4fda6844769bb