Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1531484
MD5:ecaa01c88d9f59ca10d20a8750ec8f67
SHA1:274acb124b1adb3aa391183159fa8c14ea4440e7
SHA256:145528056ff380c26d5aeff1dd4949e6c5690922d47e11861586369d35f7d598
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1531484
Start date and time:2024-10-11 10:44:10 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 26s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal48.linELF@0/0@2/0

Runtime Messages

Command:/tmp/na.elf
PID:5485
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5485, Parent: 5410, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/na.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: na.elfReversingLabs: Detection: 21%
Source: na.elfVirustotal: Detection: 22%Perma Link
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal48.linELF@0/0@2/0
Source: /tmp/na.elf (PID: 5485)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5485.1.00005593d6394000.00005593d64a0000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: na.elf, 5485.1.00007ffe3cb94000.00007ffe3cbb5000.rw-.sdmpBinary or memory string: [x86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5485.1.00005593d6394000.00005593d64a0000.rw-.sdmpBinary or memory string: Urg.qemu.gdb.arm.sys.regs">
Source: na.elf, 5485.1.00005593d6394000.00005593d64a0000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5485.1.00007ffe3cb94000.00007ffe3cbb5000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: na.elf, 5485.1.00005593d6394000.00005593d64a0000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf21%ReversingLabsLinux.Trojan.Multiverze
na.elf23%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
daisy.ubuntu.comna.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousMiraiBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, missing section headers at 381572
Entropy (8bit):6.009615090013447
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:na.elf
File size:102'400 bytes
MD5:ecaa01c88d9f59ca10d20a8750ec8f67
SHA1:274acb124b1adb3aa391183159fa8c14ea4440e7
SHA256:145528056ff380c26d5aeff1dd4949e6c5690922d47e11861586369d35f7d598
SHA512:d30d96bdd8097f0b5a71221f3c25f7fc9755efd59ce68e81e833bbe7f7fc2650e3382bdc2aff7d752614fa9f754c0744f3d6017235af2f967c9249d0c8b707ea
SSDEEP:3072:9LOuh02xHCKQnqZ9YfMXKgyLlBZSyPjYv9:FOuhPHCKsqZ9YfM6g23ZJLYv9
TLSH:FEA30A96F8A28B56C4C557B7FB4FC75637231795E3DF36038A184E34278B50A8E3AA01
File Content Preview:.ELF..............(.........4...........4. ...(........p.....+...+......................4...4...4...@...@...............t...t...t..............................................................................................................................

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 11, 2024 10:45:01.862936974 CEST4483753192.168.2.141.1.1.1
Oct 11, 2024 10:45:01.862998962 CEST4696353192.168.2.141.1.1.1
Oct 11, 2024 10:45:01.870358944 CEST53469631.1.1.1192.168.2.14
Oct 11, 2024 10:45:01.870486975 CEST53448371.1.1.1192.168.2.14

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Oct 11, 2024 10:45:01.862936974 CEST192.168.2.141.1.1.10x6c11Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
Oct 11, 2024 10:45:01.862998962 CEST192.168.2.141.1.1.10x11bcStandard query (0)daisy.ubuntu.com28IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 11, 2024 10:45:01.870486975 CEST1.1.1.1192.168.2.140x6c11No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
Oct 11, 2024 10:45:01.870486975 CEST1.1.1.1192.168.2.140x6c11No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

System Behavior

General

Start time (UTC):08:44:59
Start date (UTC):11/10/2024
Path:/tmp/na.elf
Arguments:/tmp/na.elf
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities