Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1532512
MD5:6e4b2522b7fc360d9d6c00a51dd2b363
SHA1:e4b1340e990cb56746dbb0a77c39eabff5f59f37
SHA256:56516e052f4a2433a3617724c6f49427e415be0bc84ffc96a840b326da0d1fbf
Tags:elfuser-abuse_ch
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false

Signatures

Connects to many ports of the same IP (likely port scanning)
Detected TCP or UDP traffic on non-standard ports
Found strings indicative of a multi-platform dropper
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532512
Start date and time:2024-10-13 15:19:13 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 17s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:SUS
Classification:sus22.troj.linELF@0/0@2/0

Runtime Messages

Command:/tmp/na.elf
PID:5527
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
thIs wEek on xLaB lEarNs nOthinG xd
Standard Error:

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5527, Parent: 5443, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/na.elf
    • na.elf New Fork (PID: 5531, Parent: 5527)
    • na.elf New Fork (PID: 5533, Parent: 5527)
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: na.elfString: ash|login|wget|curl|tftp|ntpdate
Source: na.elfString: l/proc//exe|ash|login|wget|curl|tftp|ntpdate/fdsocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin/

Networking

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 156.244.16.207 ports 1,5,7,8,9,15987
Source: global trafficTCP traffic: 192.168.2.14:58928 -> 156.244.16.207:15987
Source: /tmp/na.elf (PID: 5527)Socket: 127.0.0.1:1234Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.16.207
Source: unknownUDP traffic detected without corresponding DNS query: 185.84.81.194
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: sus22.troj.linELF@0/0@2/0
Source: /tmp/na.elf (PID: 5527)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5527.1.00007fff16f46000.00007fff16f67000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5527.1.00007fff16f46000.00007fff16f67000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: na.elf, 5527.1.000055a407d13000.000055a407d76000.rw-.sdmpBinary or memory string: U5!/etc/qemu-binfmt/sh4
Source: na.elf, 5527.1.000055a407d13000.000055a407d76000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		Path InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532512 Sample: na.elf Startdate: 13/10/2024 Architecture: LINUX Score: 22 13 156.244.16.207, 15987, 58928 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 2->13 15 185.84.81.194, 37194, 5353 KAMP-DE Germany 2->15 17 daisy.ubuntu.com 2->17 19 Connects to many ports of the same IP (likely port scanning) 2->19 7 na.elf 2->7         started        signatures3 process4 process5 9 na.elf 7->9         started        11 na.elf 7->11         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalseunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
156.244.16.207
unknownSeychelles
132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
185.84.81.194
unknownGermany
8648KAMP-DEfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
156.244.16.207na.elfGet hashmaliciousUnknownBrowse
    na.elfGet hashmaliciousUnknownBrowse
      na.elfGet hashmaliciousUnknownBrowse
        185.84.81.194MO52No4WnT.elfGet hashmaliciousUnknownBrowse
          na.elfGet hashmaliciousUnknownBrowse
            na.elfGet hashmaliciousUnknownBrowse
              na.elfGet hashmaliciousUnknownBrowse
                SecuriteInfo.com.Linux.Mirai.5074.23844.14740.elfGet hashmaliciousUnknownBrowse
                  SecuriteInfo.com.Linux.Mirai.5157.925.21651.elfGet hashmaliciousUnknownBrowse
                    mrbbx2evMH.elfGet hashmaliciousUnknownBrowse
                      O8s0ONHbkg.elfGet hashmaliciousUnknownBrowse
                        0aS89usCTf.elfGet hashmaliciousUnknownBrowse
                          G9J8ic1utC.elfGet hashmaliciousUnknownBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            daisy.ubuntu.comarm5.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.25
                            arm6.elfGet hashmaliciousMirai, MoobotBrowse
                            • 162.213.35.24
                            debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                            • 162.213.35.25
                            0h7AeM6QgB.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.24
                            na.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.24
                            na.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.25
                            na.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.24
                            na.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.25
                            na.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.25
                            na.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.24

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            KAMP-DEMO52No4WnT.elfGet hashmaliciousUnknownBrowse
                            • 185.84.81.194
                            na.elfGet hashmaliciousUnknownBrowse
                            • 185.84.81.194
                            na.elfGet hashmaliciousMiraiBrowse
                            • 185.105.253.184
                            na.elfGet hashmaliciousUnknownBrowse
                            • 185.84.81.194
                            na.elfGet hashmaliciousUnknownBrowse
                            • 185.84.81.194
                            SecuriteInfo.com.Linux.Mirai.5074.23844.14740.elfGet hashmaliciousUnknownBrowse
                            • 185.84.81.194
                            sora.ppc.elfGet hashmaliciousUnknownBrowse
                            • 212.110.122.35
                            mirai.mips.elfGet hashmaliciousMiraiBrowse
                            • 213.146.107.223
                            GOoY5QBqvC.elfGet hashmaliciousMirai, MoobotBrowse
                            • 213.146.107.207
                            YOkLx2A3A7.elfGet hashmaliciousMirai, MoobotBrowse
                            • 213.146.107.212
                            POWERLINE-AS-APPOWERLINEDATACENTERHKna.elfGet hashmaliciousMiraiBrowse
                            • 156.250.157.119
                            na.elfGet hashmaliciousMiraiBrowse
                            • 154.213.192.29
                            na.elfGet hashmaliciousUnknownBrowse
                            • 154.213.192.29
                            na.elfGet hashmaliciousUnknownBrowse
                            • 154.213.192.29
                            KU4NMyi8i1.elfGet hashmaliciousMiraiBrowse
                            • 156.242.206.27
                            jYEvdBHMOI.elfGet hashmaliciousMiraiBrowse
                            • 156.253.238.123
                            QmMz1SXUn8.elfGet hashmaliciousMiraiBrowse
                            • 156.251.7.185
                            PeleHfdpzX.elfGet hashmaliciousMiraiBrowse
                            • 156.251.7.188
                            ULRmk7oYR7.elfGet hashmaliciousMiraiBrowse
                            • 156.250.157.132
                            na.elfGet hashmaliciousMiraiBrowse
                            • 154.213.192.29

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
                            Entropy (8bit):6.88015105671896
                            TrID:
                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                            File name:na.elf
                            File size:46'956 bytes
                            MD5:6e4b2522b7fc360d9d6c00a51dd2b363
                            SHA1:e4b1340e990cb56746dbb0a77c39eabff5f59f37
                            SHA256:56516e052f4a2433a3617724c6f49427e415be0bc84ffc96a840b326da0d1fbf
                            SHA512:10d63c781042303478106804b2caf056ad2df3ec4c73ef190ee535055111c0c115d5eecf2ea83121b161e0d74d03e07dea7d9f7b36d0157d42c381d99a77fece
                            SSDEEP:768:csdN4FgQ3rI9SJuKL7JjtsLYKgXCf+odnGCzrC8:cw4Fg0rIwJuKLdjtsLJgXCZ/rC8
                            TLSH:9B238D32CC762E24DA989574F930EF3E5B43D965CA122EEA445382798003FDDF8492F4
                            File Content Preview:.ELF..............*.......@.4...........4. ...(...............@...@...........................A...A.....HE..........Q.td............................././"O.n........#.*@........#.*@l....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

                            Static ELF Info

                            ELF header

                            Class:ELF32
                            Data:2's complement, little endian
                            Version:1 (current)
                            Machine:<unknown>
                            Version Number:0x1
                            Type:EXEC (Executable file)
                            OS/ABI:UNIX - System V
                            ABI Version:0
                            Entry Point Address:0x4001a0
                            Flags:0x9
                            ELF Header Size:52
                            Program Header Offset:52
                            Program Header Size:32
                            Number of Program Headers:3
                            Section Header Offset:46556
                            Section Header Size:40
                            Number of Section Headers:10
                            Header String Table Index:9

                            Sections

                            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                            NULL0x00x00x00x00x0000
                            .initPROGBITS0x4000940x940x300x00x6AX004
                            .textPROGBITS0x4000e00xe00xa1800x00x6AX0032
                            .finiPROGBITS0x40a2600xa2600x240x00x6AX004
                            .rodataPROGBITS0x40a2840xa2840x10340x00x2A004
                            .ctorsPROGBITS0x41b2bc0xb2bc0x80x00x3WA004
                            .dtorsPROGBITS0x41b2c40xb2c40x80x00x3WA004
                            .dataPROGBITS0x41b2d00xb2d00x2cc0x00x3WA004
                            .bssNOBITS0x41b59c0xb59c0x42680x00x3WA004
                            .shstrtabSTRTAB0x00xb59c0x3e0x00x0001

                            Program Segments

                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                            LOAD0x00x4000000x4000000xb2b80xb2b86.92860x5R E0x10000.init .text .fini .rodata
                            LOAD0xb2bc0x41b2bc0x41b2bc0x2e00x45483.81310x6RW 0x10000.ctors .dtors .data .bss
                            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 13, 2024 15:20:09.877563000 CEST5892815987192.168.2.14156.244.16.207
                            Oct 13, 2024 15:20:09.882869005 CEST1598758928156.244.16.207192.168.2.14
                            Oct 13, 2024 15:20:09.882942915 CEST5892815987192.168.2.14156.244.16.207
                            Oct 13, 2024 15:20:09.883265018 CEST5892815987192.168.2.14156.244.16.207
                            Oct 13, 2024 15:20:09.888463020 CEST1598758928156.244.16.207192.168.2.14
                            Oct 13, 2024 15:20:15.687602997 CEST1598758928156.244.16.207192.168.2.14
                            Oct 13, 2024 15:20:15.687676907 CEST5892815987192.168.2.14156.244.16.207
                            Oct 13, 2024 15:20:30.700270891 CEST5892815987192.168.2.14156.244.16.207
                            Oct 13, 2024 15:20:30.705434084 CEST1598758928156.244.16.207192.168.2.14
                            Oct 13, 2024 15:20:45.898817062 CEST1598758928156.244.16.207192.168.2.14
                            Oct 13, 2024 15:20:45.899255991 CEST5892815987192.168.2.14156.244.16.207
                            Oct 13, 2024 15:21:50.984801054 CEST1598758928156.244.16.207192.168.2.14
                            Oct 13, 2024 15:21:50.985297918 CEST5892815987192.168.2.14156.244.16.207
                            Oct 13, 2024 15:22:05.988817930 CEST5892815987192.168.2.14156.244.16.207
                            Oct 13, 2024 15:22:05.994751930 CEST1598758928156.244.16.207192.168.2.14
                            Oct 13, 2024 15:22:09.156496048 CEST1598758928156.244.16.207192.168.2.14
                            Oct 13, 2024 15:22:09.157241106 CEST5892815987192.168.2.14156.244.16.207
                            Oct 13, 2024 15:23:06.986711025 CEST1598758928156.244.16.207192.168.2.14
                            Oct 13, 2024 15:23:06.986855984 CEST5892815987192.168.2.14156.244.16.207

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 13, 2024 15:20:08.589009047 CEST371945353192.168.2.14185.84.81.194
                            Oct 13, 2024 15:20:09.874293089 CEST535337194185.84.81.194192.168.2.14
                            Oct 13, 2024 15:22:50.349338055 CEST3896653192.168.2.148.8.8.8
                            Oct 13, 2024 15:22:50.349339008 CEST3742153192.168.2.148.8.8.8
                            Oct 13, 2024 15:22:50.357444048 CEST53389668.8.8.8192.168.2.14
                            Oct 13, 2024 15:22:50.357498884 CEST53374218.8.8.8192.168.2.14

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Oct 13, 2024 15:22:50.349338055 CEST192.168.2.148.8.8.80xe059Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                            Oct 13, 2024 15:22:50.349339008 CEST192.168.2.148.8.8.80x222aStandard query (0)daisy.ubuntu.com28IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Oct 13, 2024 15:22:50.357444048 CEST8.8.8.8192.168.2.140xe059No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                            Oct 13, 2024 15:22:50.357444048 CEST8.8.8.8192.168.2.140xe059No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                            System Behavior

                            General

                            Start time (UTC):13:20:06
                            Start date (UTC):13/10/2024
                            Path:/tmp/na.elf
                            Arguments:/tmp/na.elf
                            File size:4139976 bytes
                            MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                            Chronological Activities


                            General

                            Start time (UTC):13:20:07
                            Start date (UTC):13/10/2024
                            Path:/tmp/na.elf
                            Arguments:-
                            File size:4139976 bytes
                            MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                            Chronological Activities


                            General

                            Start time (UTC):13:20:07
                            Start date (UTC):13/10/2024
                            Path:/tmp/na.elf
                            Arguments:-
                            File size:4139976 bytes
                            MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                            Chronological Activities