Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
botnet.mips.elf

Overview

General Information

Sample name:botnet.mips.elf
Analysis ID:1540997
MD5:b69de4c2d69c16bdd1db790b5398e27f
SHA1:325a10d4370e86c0c15fbab4ece7a8406b2edb55
SHA256:5c3c9921170cee3e1a742c70a929ebab4c0a042122d2f77d3c16a79d58b28059
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1540997
Start date and time:2024-10-24 11:22:32 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:botnet.mips.elf
Detection:MAL
Classification:mal60.evad.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: botnet.mips.elf

Runtime Messages

Command:/tmp/botnet.mips.elf
PID:5422
Exit Code:133
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

Process Tree

  • system is lnxubuntu20
  • botnet.mips.elf (PID: 5422, Parent: 5346, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/botnet.mips.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: botnet.mips.elfAvira: detected
Multi AV Scanner detection for submitted file
Source: botnet.mips.elfReversingLabs: Detection: 44%
Source: global trafficTCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: botnet.mips.elfString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443
Source: LOAD without section mappingsProgram segment: 0x400000
Source: classification engineClassification label: mal60.evad.linELF@0/0@2/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
Source: botnet.mips.elfSubmission file: segment LOAD with 7.9265 entropy (max. 8.0)
Source: /tmp/botnet.mips.elf (PID: 5422)Queries kernel information via 'uname': Jump to behavior
Source: botnet.mips.elf, 5422.1.000055ac91869000.000055ac918f0000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
Source: botnet.mips.elf, 5422.1.00007ffc10bf3000.00007ffc10c14000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/botnet.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/botnet.mips.elf
Source: botnet.mips.elf, 5422.1.000055ac91869000.000055ac918f0000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: botnet.mips.elf, 5422.1.00007ffc10bf3000.00007ffc10c14000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: botnet.mips.elf, 5422.1.00007ffc10bf3000.00007ffc10c14000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
botnet.mips.elf45%ReversingLabsLinux.Trojan.Mirai
botnet.mips.elf100%AviraLINUX/AVI.Bot.tygrq

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netbotnet.mips.elftrue
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    185.125.190.26
    		unknownUnited Kingdom
    		41231CANONICAL-ASGBfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    185.125.190.26bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
      na.elfGet hashmaliciousUnknownBrowse
        bot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
          sshd.elfGet hashmaliciousUnknownBrowse
            pozY1lq94j.elfGet hashmaliciousOkiruBrowse
              arm4.elfGet hashmaliciousUnknownBrowse
                pty.elfGet hashmaliciousTsunamiBrowse
                  na.elfGet hashmaliciousMiraiBrowse
                    bin.armv4l.elfGet hashmaliciousGafgyt, MiraiBrowse
                      bin.mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comla.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                        • 162.213.35.25
                        la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 162.213.35.24
                        la.bot.mips.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        boatnet.x86.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        x86.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        garm7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        nshsh4.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 162.213.35.24

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CANONICAL-ASGBboatnet.sh4.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                        • 185.125.190.26
                        na.elfGet hashmaliciousUnknownBrowse
                        • 185.125.190.26
                        BoM00gWx1d.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 91.189.91.42
                        boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        boatnet.arm.elfGet hashmaliciousMiraiBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        na.elfGet hashmaliciousUnknownBrowse
                        • 91.189.91.42
                        bot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                        • 185.125.190.26

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                        Entropy (8bit):7.923607301391047
                        TrID:
                        • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                        • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                        File name:botnet.mips.elf
                        File size:37'516 bytes
                        MD5:b69de4c2d69c16bdd1db790b5398e27f
                        SHA1:325a10d4370e86c0c15fbab4ece7a8406b2edb55
                        SHA256:5c3c9921170cee3e1a742c70a929ebab4c0a042122d2f77d3c16a79d58b28059
                        SHA512:ec90df95890697f48f5017b8d2e258252a9349f6cbe461dba0e9551c7a4dd14b41fda179fea686aaebf7a164b23fa35f43502d95be143e7d08e0f0c71c2bdf10
                        SSDEEP:768:VFwoLdBhILNp1D13EfJnkUnY3KgsEev29BDxnz1M96UGS5J1DzuJgGlzDpUYsfb:f/dQDilnY3Vfg2nxnz1ONGS5J1CVqY4
                        TLSH:2DF2E19D412EA1F3D86E51B752A5F39202B90EF7E821D44A633C96024D436EF2873BD1
                        File Content Preview:.ELF.....................@}H...4.........4. ...(.............@...@.....V...V.................A...A.........x.........#..UPX!...........X...X.......W.......?.E.h4...@b..) ..]....E......;.\.Z?C...8......o,k.zo..`.....A..O1.......!4U-...#.d....y...wV........

                        Static ELF Info

                        ELF header

                        Class:ELF32
                        Data:2's complement, big endian
                        Version:1 (current)
                        Machine:MIPS R3000
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - System V
                        ABI Version:0
                        Entry Point Address:0x407d48
                        Flags:0x1007
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:2
                        Section Header Offset:0
                        Section Header Size:40
                        Number of Section Headers:0
                        Header String Table Index:0

                        Program Segments

                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x4000000x4000000x91560x91567.92650x5R E0x10000
                        LOAD0x00x4100000x4100000x00x4aa780.00000x6RW 0x10000

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 24, 2024 11:23:23.108264923 CEST48202443192.168.2.13185.125.190.26
                        Oct 24, 2024 11:23:54.340163946 CEST48202443192.168.2.13185.125.190.26

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 24, 2024 11:23:15.298906088 CEST4588053192.168.2.138.8.8.8
                        Oct 24, 2024 11:23:15.298943043 CEST5800153192.168.2.138.8.8.8
                        Oct 24, 2024 11:23:15.305972099 CEST53580018.8.8.8192.168.2.13
                        Oct 24, 2024 11:23:15.305990934 CEST53458808.8.8.8192.168.2.13

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 24, 2024 11:23:15.298906088 CEST192.168.2.138.8.8.80x34edStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Oct 24, 2024 11:23:15.298943043 CEST192.168.2.138.8.8.80xf43dStandard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 24, 2024 11:23:15.305990934 CEST8.8.8.8192.168.2.130x34edNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                        Oct 24, 2024 11:23:15.305990934 CEST8.8.8.8192.168.2.130x34edNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):09:23:13
                        Start date (UTC):24/10/2024
                        Path:/tmp/botnet.mips.elf
                        Arguments:/tmp/botnet.mips.elf
                        File size:5777432 bytes
                        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                        Chronological Activities