Linux Analysis Report
i486.elf

ID:	1541013
Product:	CloudBasic
Start time:	11:32:25
Start date:	24.10.2024
Sample:	i486.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	bd0da6d215821625c85f701133b3d758
SHA1:	0b0eca5e58828339727ed228a25e70d98c1a39ed
SHA256:	ed9e82f85045eab3ef7c4e42b9c9ac2b85d4b619e7c34398b96b3eefa8f3a884
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: i486.elf

ReversingLabs: Detection: 13%

Source: i486.elf

Joe Sandbox ML: detected

Spreading

Source: i486.elf

String: /lib//sbin//usr//proc//exeself/fd/fd/socket:/proc/proc//exewgetcurlftpmountabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/proc/net/tcp/proc//exe/fd//proc//maps/lib/usr/lib

Networking

Source: global traffic

TCP traffic: 192.168.2.23:50922 -> 193.70.75.42:5555

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42

Source: global traffic

DNS traffic detected: DNS query: foxthreatnointel.africa

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: i486.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: i486.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 6206.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 6206.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown

Source: ELF static info symbol of initial sample	Name: add_attack
Source: ELF static info symbol of initial sample	Name: attack_add_pid
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_ongoing
Source: ELF static info symbol of initial sample	Name: attack_parse
Source: ELF static info symbol of initial sample	Name: attack_remove_id
Source: ELF static info symbol of initial sample	Name: attack_start
Source: ELF static info symbol of initial sample	Name: attack_stop
Source: ELF static info symbol of initial sample	Name: attacks_ack
Source: ELF static info symbol of initial sample	Name: attacks_gre

Source: i486.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: i486.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 6206.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 6206.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26

Source: classification engine

Classification label: mal64.linELF@0/0@1/0