Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
nn.elf

Overview

General Information

Sample name:nn.elf
Analysis ID:1538228
MD5:ed89809e1f1189724567ce62d636f4c1
SHA1:f1866ab70aba277c2c2f62770f22467f1f18a695
SHA256:c8631e6bf91d813d691e9bdaeb5a74b28779e2c13fc8e50fe62ab36a52e511a9
Tags:elfuser-abuse_ch
Infos:

Detection

Nanominer, Xmrig
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Nanominer
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Executes the "rm" command used to delete files or directories
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1538228
Start date and time:2024-10-20 20:50:22 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 4s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:nn.elf
Detection:MAL
Classification:mal68.mine.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: nn.elf

Runtime Messages

Command:/tmp/nn.elf
PID:6289
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 6262, Parent: 4331)
  • rm (PID: 6262, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.pdDljAlyNF /tmp/tmp.RjeH8iViGU /tmp/tmp.g1SjPsgwOG
  • dash New Fork (PID: 6263, Parent: 4331)
  • rm (PID: 6263, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.pdDljAlyNF /tmp/tmp.RjeH8iViGU /tmp/tmp.g1SjPsgwOG
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XMRIGNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
nn.elfJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    nn.elfJoeSecurity_NanominerYara detected NanominerJoe Security
      nn.elfLinux_Cryptominer_Generic_e0cca9dcunknownunknown
      • 0x1dd87e:$a: 54 24 40 48 8D 94 24 C0 00 00 00 F3 41 0F 6F 01 48 89 7C 24 50 48 89 74

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      Bitcoin Miner

      barindex
      Yara detected Nanominer
      Source: Yara matchFile source: nn.elf, type: SAMPLE
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: nn.elf, type: SAMPLE
      Found strings related to Crypto-Mining
      Source: nn.elfString found in binary or memory: St22_Weak_result_type_implIM7IClientFvRKSt7variantIJ12EthashResult13StratumResult17CryptonightResult15VerusHashResultEERKS1_IJ10EthashTask12StratumInput16CryptonightInput14VerusHashInputEESt10shared_ptrI6DeviceEEE
      Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
      Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: nn.elfString found in binary or memory: https://api.github.com/repos/nanopool/nanominer/releases/latestmalformed
      Source: nn.elfString found in binary or memory: https://api.nanopool.org/v1/invalid
      Source: nn.elfString found in binary or memory: https://blockscout.com/etc/mainnet/api?module=block&action=eth_block_numbertls:
      Source: nn.elfString found in binary or memory: https://gcc.gnu.org/bugs
      Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: nn.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_e0cca9dc Author: unknown
      Source: nn.elf, type: SAMPLEMatched rule: Linux_Cryptominer_Generic_e0cca9dc reference_sample = 59a1d8aa677739f2edbb8bd34f566b31f19d729b0a115fef2eac8ab1d1acc383, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Generic, fingerprint = e7bc17ba356774ed10e65c95a8db3b09d3b9be72703e6daa9b601ea820481db7, id = e0cca9dc-0f3e-42d8-bb43-0625f4f9bfe1, last_modified = 2022-01-26
      Source: classification engineClassification label: mal68.mine.linELF@0/0@0/0
      Source: /usr/bin/dash (PID: 6262)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.pdDljAlyNF /tmp/tmp.RjeH8iViGU /tmp/tmp.g1SjPsgwOGJump to behavior
      Source: /usr/bin/dash (PID: 6263)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.pdDljAlyNF /tmp/tmp.RjeH8iViGU /tmp/tmp.g1SjPsgwOGJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
      File Deletion      		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service

      Malware Configuration

      No configs have been found

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      nn.elf11%ReversingLabsLinux.Coinminer.Generic

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.nanopool.org/v1/invalidnn.elffalse
        		unknown
        https://blockscout.com/etc/mainnet/api?module=block&action=eth_block_numbertls:nn.elffalse
          		unknown
          https://api.github.com/repos/nanopool/nanominer/releases/latestmalformednn.elffalse
            		unknown
            https://gcc.gnu.org/bugsnn.elffalse
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              109.202.202.202
              		unknownSwitzerland
              		13030INIT7CHfalse
              91.189.91.42
              		unknownUnited Kingdom
              		41231CANONICAL-ASGBfalse

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
              • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
              91.189.91.42boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                    bin.x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                      bin.mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                        bin.armv6l.elfGet hashmaliciousMiraiBrowse
                          mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                            mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                              bin.x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                bin.armv5l.elfGet hashmaliciousGafgyt, MiraiBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CANONICAL-ASGBboatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  bin.x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 91.189.91.42
                                  bin.mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 91.189.91.42
                                  bin.armv6l.elfGet hashmaliciousMiraiBrowse
                                  • 91.189.91.42
                                  mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 91.189.91.42
                                  mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 91.189.91.42
                                  bin.x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 91.189.91.42
                                  bin.armv5l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 91.189.91.42
                                  INIT7CHboatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 109.202.202.202
                                  boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                  • 109.202.202.202
                                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                  • 109.202.202.202
                                  bin.x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 109.202.202.202
                                  bin.mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 109.202.202.202
                                  bin.armv6l.elfGet hashmaliciousMiraiBrowse
                                  • 109.202.202.202
                                  mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 109.202.202.202
                                  mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 109.202.202.202
                                  bin.x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 109.202.202.202
                                  bin.armv5l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  • 109.202.202.202

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 52906664
                                  Entropy (8bit):5.08984603975892
                                  TrID:
                                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                  File name:nn.elf
                                  File size:33'312'419 bytes
                                  MD5:ed89809e1f1189724567ce62d636f4c1
                                  SHA1:f1866ab70aba277c2c2f62770f22467f1f18a695
                                  SHA256:c8631e6bf91d813d691e9bdaeb5a74b28779e2c13fc8e50fe62ab36a52e511a9
                                  SHA512:3b6b1298e28ba70033fd27d4b38d0a526a6afa2438712d7d1250f58d5223cd27bdf3a294d17e7219c8196f09bfd92e15762990f994d72194b7558a29a6cc5e8d
                                  SSDEEP:393216:Se4n2yMyec44bbt3QR68Or5CbB/yBHqjihphKmXMGDiw6lc:LOQbBqBKjihlXMWiwO
                                  TLSH:B277BF47F59150ECC1AED13486669263BA707CA94B3037EB2B90F7792E32BE05B39354
                                  File Content Preview:.ELF..............>.......C.....@........A'.........@.8...@.$.#.........@.......@.@.....@.@.....0.......0.......................p.......p.@.....p.@...............................................@.......@.......t.......t....... ...............t............

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 20, 2024 20:51:40.263319969 CEST43928443192.168.2.2391.189.91.42
                                  Oct 20, 2024 20:51:54.341222048 CEST4251680192.168.2.23109.202.202.202
                                  Oct 20, 2024 20:52:00.484399080 CEST43928443192.168.2.2391.189.91.42
                                  Oct 20, 2024 20:52:41.438730001 CEST43928443192.168.2.2391.189.91.42

                                  System Behavior

                                  General

                                  Start time (UTC):18:51:36
                                  Start date (UTC):20/10/2024
                                  Path:/usr/bin/dash
                                  Arguments:-
                                  File size:129816 bytes
                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                  Chronological Activities


                                  General

                                  Start time (UTC):18:51:36
                                  Start date (UTC):20/10/2024
                                  Path:/usr/bin/rm
                                  Arguments:rm -f /tmp/tmp.pdDljAlyNF /tmp/tmp.RjeH8iViGU /tmp/tmp.g1SjPsgwOG
                                  File size:72056 bytes
                                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                  Chronological Activities


                                  General

                                  Start time (UTC):18:51:36
                                  Start date (UTC):20/10/2024
                                  Path:/usr/bin/dash
                                  Arguments:-
                                  File size:129816 bytes
                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                  Chronological Activities


                                  General

                                  Start time (UTC):18:51:36
                                  Start date (UTC):20/10/2024
                                  Path:/usr/bin/rm
                                  Arguments:rm -f /tmp/tmp.pdDljAlyNF /tmp/tmp.RjeH8iViGU /tmp/tmp.g1SjPsgwOG
                                  File size:72056 bytes
                                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                  Chronological Activities