Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1532516
MD5:499183b5b8cd25922ba465ead2bdc082
SHA1:f51b4128cbfcfb5fb7acd2a1aa660489c3e84bdd
SHA256:8d811c3544665226b8764193a04b3f768149925c18b5d5c38c888674a90830fd
Tags:elfuser-abuse_ch
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false

Signatures

ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532516
Start date and time:2024-10-13 15:23:49 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 50s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:CLEAN
Classification:clean1.linELF@0/0@2/0

Runtime Messages

Command:/tmp/na.elf
PID:5523
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5523, Parent: 5441, MD5: 499183b5b8cd25922ba465ead2bdc082) Arguments: /tmp/na.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: LOAD without section mappingsProgram segment: 0x400000
Source: classification engineClassification label: clean1.linELF@0/0@2/0
Source: na.elfSubmission file: segment LOAD with 7.8992 entropy (max. 8.0)

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532516 Sample: na.elf Startdate: 13/10/2024 Architecture: LINUX Score: 1 7 daisy.ubuntu.com 2->7 5 na.elf 2->5         started        process3

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
daisy.ubuntu.comna.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
arm5.elfGet hashmaliciousMiraiBrowse
  • 162.213.35.25
arm6.elfGet hashmaliciousMirai, MoobotBrowse
  • 162.213.35.24
debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
  • 162.213.35.25
0h7AeM6QgB.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousMiraiBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):7.899164182723939
TrID:
  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:na.elf
File size:7'503'283 bytes
MD5:499183b5b8cd25922ba465ead2bdc082
SHA1:f51b4128cbfcfb5fb7acd2a1aa660489c3e84bdd
SHA256:8d811c3544665226b8764193a04b3f768149925c18b5d5c38c888674a90830fd
SHA512:ef364e2c3bb64edcef26f7e91e2ab91de2da0a80134d46a7e0f0c21a8ba6f4311679396fe731a82d54052b5fef174c656e417c3532b2154d24ac235afde883ce
SSDEEP:196608:iCREgDT29/MJYR1XMPDSKVzTXZ+4f2o4iX1J:Rl29/MJYROP3PR2o4iX1J
TLSH:337633FD2B671723E918A7BEA59B0CE468D85346ECEC1156AB9FD0ED01B69C24D37C00
File Content Preview:.ELF..............>......=......@...................@.8...@.......................@.......@.....XGy.....XGy..............................P.......P..............................Q.td.....................................................>U.UPX!........0.$.0.$

Static ELF Info

ELF header

Class:ELF64
Data:2's complement, little endian
Version:1 (current)
Machine:Advanced Micro Devices X86-64
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0xb93de0
Flags:0x0
ELF Header Size:64
Program Header Offset:64
Program Header Size:56
Number of Program Headers:3
Section Header Offset:0
Section Header Size:64
Number of Section Headers:0
Header String Table Index:0

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x4000000x4000000x7947580x7947587.89920x5R E0x1000
LOAD0x00xb950000xb950000x00xb29ab00.00000x6RW 0x1000
GNU_STACK0x00x00x00x00x00.00000x6RW 0x10

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 13, 2024 15:24:53.349205017 CEST4341653192.168.2.141.1.1.1
Oct 13, 2024 15:24:53.349277020 CEST4300553192.168.2.141.1.1.1
Oct 13, 2024 15:24:53.356220961 CEST53434161.1.1.1192.168.2.14
Oct 13, 2024 15:24:53.356241941 CEST53430051.1.1.1192.168.2.14

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Oct 13, 2024 15:24:53.349205017 CEST192.168.2.141.1.1.10x7e4Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
Oct 13, 2024 15:24:53.349277020 CEST192.168.2.141.1.1.10x6eddStandard query (0)daisy.ubuntu.com28IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 13, 2024 15:24:53.356220961 CEST1.1.1.1192.168.2.140x7e4No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
Oct 13, 2024 15:24:53.356220961 CEST1.1.1.1192.168.2.140x7e4No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

System Behavior

General

Start time (UTC):13:24:51
Start date (UTC):13/10/2024
Path:/tmp/na.elf
Arguments:/tmp/na.elf
File size:7503283 bytes
MD5 hash:499183b5b8cd25922ba465ead2bdc082