Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1533414
MD5:159ef8f78ce2cfaaf1df867e2588164e
SHA1:4ce1b012e848161e8ac5cb82aad5d5c7dd326438
SHA256:d162b93f640d5183547fd9a8d9cd9aca116f4d4c81b41904f1b54944067541a8
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1533414
Start date and time:2024-10-14 17:33:17 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal60.evad.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: na.elf

Runtime Messages

Command:/tmp/na.elf
PID:5530
Exit Code:133
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5530, Parent: 5445, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/na.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: na.elfAvira: detected
Multi AV Scanner detection for submitted file
Source: na.elfReversingLabs: Detection: 62%
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: na.elfString found in binary or memory: http://upx.sf.net
Source: LOAD without section mappingsProgram segment: 0x400000
Source: classification engineClassification label: mal60.evad.linELF@0/0@2/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
Source: na.elfSubmission file: segment LOAD with 7.9253 entropy (max. 8.0)
Source: /tmp/na.elf (PID: 5530)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5530.1.000055d606ef2000.000055d606f79000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: na.elf, 5530.1.00007fff584a9000.00007fff584ca000.rw-.sdmpBinary or memory string: ;2x86_64/usr/bin/qemu-mipsel/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5530.1.000055d606ef2000.000055d606f79000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mipsel
Source: na.elf, 5530.1.00007fff584a9000.00007fff584ca000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
Source: na.elf, 5530.1.00007fff584a9000.00007fff584ca000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf62%ReversingLabsLinux.Trojan.Mirai
na.elf100%AviraEXP/ELF.Agent.M.28

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netna.elftrue
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comna.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    na.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    na.elfGet hashmaliciousMirai, MoobotBrowse
    • 162.213.35.25
    na.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    na.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    na.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    na.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    na.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    na.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    na.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
    Entropy (8bit):7.92226471626814
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:na.elf
    File size:38'040 bytes
    MD5:159ef8f78ce2cfaaf1df867e2588164e
    SHA1:4ce1b012e848161e8ac5cb82aad5d5c7dd326438
    SHA256:d162b93f640d5183547fd9a8d9cd9aca116f4d4c81b41904f1b54944067541a8
    SHA512:9a2a126bf4dc57e91e006a73d4b44578b935e8ef6a37bc0bce97f905a33e70aa08fb807960bd6a8ac681e2afe1ee8734f84d3a383deb7ca25cf20483cd2842ee
    SSDEEP:768:9Tsh3RYaUSOJFRt3oOjvfmsTJDcE3fho3VVCBM7+eBB4a23pWMe:cR9qDL3oOjH9Txfm4BY4Xs
    TLSH:9003E17DEC1C2A51D56C1C3FF0AD1E618D6874947BDD838EB2506C02BB28D8B37964B4
    File Content Preview:.ELF....................H.@.4...........4. ...(...............@...@.U...U.....................A...A....................gUPX!........P...P.......U..........?.E.h;....#......b.L#1;..j-.iS..s<}..q/&.1|..Yu....gm.......y.""XM..j5..Q.@F......L....{............

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x407f48
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:2
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x93550x93557.92530x5R E0x10000
    LOAD0x00x4100000x4100000x00x4bba80.00000x6RW 0x10000

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 14, 2024 17:34:09.444170952 CEST3472053192.168.2.151.1.1.1
    Oct 14, 2024 17:34:09.444226027 CEST5173453192.168.2.151.1.1.1
    Oct 14, 2024 17:34:09.451670885 CEST53517341.1.1.1192.168.2.15
    Oct 14, 2024 17:34:09.452476025 CEST53347201.1.1.1192.168.2.15

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Oct 14, 2024 17:34:09.444170952 CEST192.168.2.151.1.1.10xfc40Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Oct 14, 2024 17:34:09.444226027 CEST192.168.2.151.1.1.10x206eStandard query (0)daisy.ubuntu.com28IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 14, 2024 17:34:09.452476025 CEST1.1.1.1192.168.2.150xfc40No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
    Oct 14, 2024 17:34:09.452476025 CEST1.1.1.1192.168.2.150xfc40No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):15:34:07
    Start date (UTC):14/10/2024
    Path:/tmp/na.elf
    Arguments:/tmp/na.elf
    File size:5773336 bytes
    MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

    Chronological Activities