Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1533026
MD5:5d2fe62daf581be2533ff153dfb51690
SHA1:22b47572bbdc44d768e98bdc254791d73d69ce2b
SHA256:dbdfcc8a0ab879dd282d0f27edd574b9dd99f9a90775d01646ee597be0f5b470
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads system version information
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1533026
Start date and time:2024-10-14 10:45:04 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 10s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal48.linELF@0/0@2/0

Runtime Messages

Command:/tmp/na.elf
PID:5725
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5725, Parent: 5530, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/na.elf
  • systemd New Fork (PID: 5794, Parent: 1)
  • snap-failure (PID: 5794, Parent: 1, MD5: 69136a7d575731ce62349f2e4d3e5c36) Arguments: /usr/lib/snapd/snap-failure snapd
    • systemctl (PID: 5807, Parent: 5794, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop snapd.socket
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: na.elfVirustotal: Detection: 22%Perma Link
Source: na.elfReversingLabs: Detection: 15%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: classification engineClassification label: mal48.linELF@0/0@2/0
Source: /usr/lib/snapd/snap-failure (PID: 5807)Systemctl executable: /usr/bin/systemctl -> systemctl stop snapd.socketJump to behavior
Source: /usr/lib/snapd/snap-failure (PID: 5794)Reads version info: /proc/versionJump to behavior
Source: /tmp/na.elf (PID: 5725)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5725.1.000055b69e6e9000.000055b69e7f5000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: na.elf, 5725.1.000055b69e6e9000.000055b69e7f5000.rw-.sdmpBinary or memory string: Urg.qemu.gdb.arm.sys.regs">
Source: na.elf, 5725.1.000055b69e6e9000.000055b69e7f5000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: na.elf, 5725.1.00007ffd5c181000.00007ffd5c1a2000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: na.elf, 5725.1.00007ffd5c181000.00007ffd5c1a2000.rw-.sdmpBinary or memory string: YEB\x86_64/usr/bin/qemu-arm/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5725.1.000055b69e6e9000.000055b69e7f5000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Systemd Service		1
Systemd Service		Direct Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533026 Sample: na.elf Startdate: 14/10/2024 Architecture: LINUX Score: 48 15 daisy.ubuntu.com 2->15 17 Multi AV Scanner detection for submitted file 2->17 7 systemd snap-failure 2->7         started        9 na.elf 2->9         started        signatures3 process4 process5 11 snap-failure systemctl 7->11         started        13 snap-failure 7->13         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf23%VirustotalBrowse
na.elf16%ReversingLabsLinux.Trojan.Multiverze

Dropped Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
daisy.ubuntu.com0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
daisy.ubuntu.comna.elfGet hashmaliciousMirai, OkiruBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.25
na.elfGet hashmaliciousUnknownBrowse
  • 162.213.35.24

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, missing section headers at 381572
Entropy (8bit):6.009711463557139
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:na.elf
File size:102'400 bytes
MD5:5d2fe62daf581be2533ff153dfb51690
SHA1:22b47572bbdc44d768e98bdc254791d73d69ce2b
SHA256:dbdfcc8a0ab879dd282d0f27edd574b9dd99f9a90775d01646ee597be0f5b470
SHA512:e4b0c85409978c8300dc87c1a430700cd7becceceee8d2748479ebb9fab933af65841c9da6989d45207d125b093213b5e48ba7e047b44c52c78f15140d8993b0
SSDEEP:3072:9LOug02xHCKQnqZ9YfMXKgyLlBZSyPjYN5:FOugPHCKsqZ9YfM6g23ZJLYN5
TLSH:0AA30A96F8A28B56C4C557B7FB4FC75637231795E3DF36038A184E34278B50A8E3AA01
File Content Preview:.ELF..............(.........4...........4. ...(........p.....+...+......................4...4...4...@...@...............t...t...t..............................................................................................................................

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 14, 2024 10:46:41.384069920 CEST3284153192.168.2.131.1.1.1
Oct 14, 2024 10:46:41.384172916 CEST4205353192.168.2.131.1.1.1
Oct 14, 2024 10:46:41.391402006 CEST53420531.1.1.1192.168.2.13
Oct 14, 2024 10:46:41.391503096 CEST53328411.1.1.1192.168.2.13

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
Oct 14, 2024 10:46:41.384069920 CEST192.168.2.131.1.1.10xf891Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
Oct 14, 2024 10:46:41.384172916 CEST192.168.2.131.1.1.10xcea9Standard query (0)daisy.ubuntu.com28IN (0x0001)false

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 14, 2024 10:46:41.391503096 CEST1.1.1.1192.168.2.130xf891No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
Oct 14, 2024 10:46:41.391503096 CEST1.1.1.1192.168.2.130xf891No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

System Behavior

General

Start time (UTC):08:46:38
Start date (UTC):14/10/2024
Path:/tmp/na.elf
Arguments:/tmp/na.elf
File size:4956856 bytes
MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities


General

Start time (UTC):08:47:17
Start date (UTC):14/10/2024
Path:/usr/lib/systemd/systemd
Arguments:-
File size:1620224 bytes
MD5 hash:9b2bec7092a40488108543f9334aab75

Chronological Activities


General

Start time (UTC):08:47:17
Start date (UTC):14/10/2024
Path:/usr/lib/snapd/snap-failure
Arguments:/usr/lib/snapd/snap-failure snapd
File size:4764904 bytes
MD5 hash:69136a7d575731ce62349f2e4d3e5c36

Chronological Activities


General

Start time (UTC):08:47:17
Start date (UTC):14/10/2024
Path:/usr/lib/snapd/snap-failure
Arguments:-
File size:4764904 bytes
MD5 hash:69136a7d575731ce62349f2e4d3e5c36

Chronological Activities


General

Start time (UTC):08:47:17
Start date (UTC):14/10/2024
Path:/usr/bin/systemctl
Arguments:systemctl stop snapd.socket
File size:996584 bytes
MD5 hash:4deddfb6741481f68aeac522cc26ff4b

Chronological Activities


General

Start time (UTC):08:47:17
Start date (UTC):14/10/2024
Path:/usr/lib/snapd/snap-failure
Arguments:-
File size:4764904 bytes
MD5 hash:69136a7d575731ce62349f2e4d3e5c36

Chronological Activities