Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1532541
MD5:d786a1137be077b33ddc1b35a9b1b056
SHA1:905d88d7c050676edacb0d1aecdb24a333dfe4aa
SHA256:b7b228cb8cf42a2a52748b49998b654ca1aa771554f1181df24de5c536a7c306
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532541
Start date and time:2024-10-13 16:11:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal56.linELF@0/0@2/0
Command:/tmp/na.elf
PID:5452
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • system is lnxubuntu20
  • na.elf (PID: 5452, Parent: 5375, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/na.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: na.elfAvira: detected
Source: na.elfReversingLabs: Detection: 60%
Source: na.elfVirustotal: Detection: 33%Perma Link
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: LOAD without section mappingsProgram segment: 0x100000
Source: classification engineClassification label: mal56.linELF@0/0@2/0
Source: na.elfSubmission file: segment LOAD with 7.9928 entropy (max. 8.0)
Source: /tmp/na.elf (PID: 5452)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5452.1.00007ffcf20f8000.00007ffcf2119000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5452.1.0000561a6e9ac000.0000561a6ea33000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/mips
Source: na.elf, 5452.1.0000561a6e9ac000.0000561a6ea33000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: na.elf, 5452.1.00007ffcf20f8000.00007ffcf2119000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: na.elf, 5452.1.00007ffcf20f8000.00007ffcf2119000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
SourceDetectionScannerLabelLink
na.elf61%ReversingLabsLinux.Infostealer.Berbew
na.elf33%VirustotalBrowse
na.elf100%AviraLINUX/Siggen.illbf
No Antivirus matches
SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalseunknown
No contacted IP infos
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
daisy.ubuntu.comna.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
No context
No context
No context
No created / dropped files found
File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):7.992758659517384
TrID:
  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:na.elf
File size:35'700 bytes
MD5:d786a1137be077b33ddc1b35a9b1b056
SHA1:905d88d7c050676edacb0d1aecdb24a333dfe4aa
SHA256:b7b228cb8cf42a2a52748b49998b654ca1aa771554f1181df24de5c536a7c306
SHA512:e5adc987ace179df0c0ec84d16bbd9528648eb0a5dd5d983f8b3314bb7535a038ef771b61bda7e401571c2a71866f58d894226b0e4ea4c158b24fba69d7c241d
SSDEEP:768:YTYIDfYG6ZmewZ59+Nw1qsREH20j7UNqVwi7M8ghL:yYI0ARqw1qAEW67UIWi7M8gt
TLSH:9FF2F14732943B73E15345F4E3BCAFCB611A7D64AFEE242BA4413A6270B221D68DD41A
File Content Preview:.ELF....................../....4.........4. ...(......................Bd..Bd.................G...G.................................................^.......?.E.h4...@b..) ..]..0...a.t<..mc.zy/..>..!c...gM\<j..W`xD'..}...\..].j.L.u...S..i...../..F...@`..'k.

ELF header

Class:ELF32
Data:2's complement, big endian
Version:1 (current)
Machine:MIPS R3000
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x112fe8
Flags:0x1007
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:2
Section Header Offset:0
Section Header Size:40
Number of Section Headers:0
Header String Table Index:0
TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x1000000x1000000x142640x142647.99280x5R E0x10000
LOAD0xa6c00x47a6c00x47a6c00x00x00.00000x6RW 0x10000
TimestampSource PortDest PortSource IPDest IP
Oct 13, 2024 16:11:57.857059956 CEST4370153192.168.2.138.8.8.8
Oct 13, 2024 16:11:57.857106924 CEST5047153192.168.2.138.8.8.8
Oct 13, 2024 16:11:57.863821030 CEST53504718.8.8.8192.168.2.13
Oct 13, 2024 16:11:57.864281893 CEST53437018.8.8.8192.168.2.13
TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Oct 13, 2024 16:11:57.857059956 CEST192.168.2.138.8.8.80x8617Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
Oct 13, 2024 16:11:57.857106924 CEST192.168.2.138.8.8.80xe45cStandard query (0)daisy.ubuntu.com28IN (0x0001)false
TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 13, 2024 16:11:57.864281893 CEST8.8.8.8192.168.2.130x8617No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
Oct 13, 2024 16:11:57.864281893 CEST8.8.8.8192.168.2.130x8617No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

System Behavior

Start time (UTC):14:11:56
Start date (UTC):13/10/2024
Path:/tmp/na.elf
Arguments:/tmp/na.elf
File size:5777432 bytes
MD5 hash:0083f1f0e77be34ad27f849842bbb00c