Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
tftp.elf

Overview

General Information

Sample name:tftp.elf
Analysis ID:1541079
MD5:e3e2ca66ab4a38a56aa764415ff38e5e
SHA1:fba3ad5e3dffb7fde1bd8cf3da7d59ccd96e60b7
SHA256:829f76e09c6e3a92735fd324c0295e27cab04b8d4671d2eaa79c4579fe6b95c0
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541079
Start date and time:2024-10-24 11:58:35 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:tftp.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: tftp.elf

Runtime Messages

Command:/tmp/tftp.elf
PID:6254
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • tftp.elf (PID: 6254, Parent: 6179, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/tftp.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: tftp.elfReversingLabs: Detection: 21%
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /tmp/tftp.elf (PID: 6254)Queries kernel information via 'uname': Jump to behavior
Source: tftp.elf, 6254.1.00005624701c3000.00005624702cf000.rw-.sdmpBinary or memory string: p$V!/etc/qemu-binfmt/arm
Source: tftp.elf, 6254.1.00007ffc5ef91000.00007ffc5efb2000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/tftp.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tftp.elf
Source: tftp.elf, 6254.1.00005624701c3000.00005624702cf000.rw-.sdmpBinary or memory string: p$Vrg.qemu.gdb.arm.sys.regs">
Source: tftp.elf, 6254.1.00005624701c3000.00005624702cf000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: tftp.elf, 6254.1.00007ffc5ef91000.00007ffc5efb2000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: tftp.elf, 6254.1.00005624701c3000.00005624702cf000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
tftp.elf21%ReversingLabsLinux.Trojan.Multiverze

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
  • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43.i.elfGet hashmaliciousUnknownBrowse
    i486.elfGet hashmaliciousUnknownBrowse
      boatnet.arm5.elfGet hashmaliciousMiraiBrowse
        nsharm6.elfGet hashmaliciousMiraiBrowse
          boatnet.sh4.elfGet hashmaliciousMiraiBrowse
            BoM00gWx1d.elfGet hashmaliciousUnknownBrowse
              hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                  boatnet.arm.elfGet hashmaliciousMiraiBrowse
                    na.elfGet hashmaliciousUnknownBrowse
                      91.189.91.42.i.elfGet hashmaliciousUnknownBrowse
                        i486.elfGet hashmaliciousUnknownBrowse
                          boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                            nsharm6.elfGet hashmaliciousMiraiBrowse
                              boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                BoM00gWx1d.elfGet hashmaliciousUnknownBrowse
                                  hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                      boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                        na.elfGet hashmaliciousUnknownBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGB.i.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          i686.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          x86.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 185.125.190.26
                                          i486.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          nsharm6.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          botnet.mips.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 185.125.190.26
                                          CANONICAL-ASGB.i.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          i686.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          x86.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 185.125.190.26
                                          i486.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          na.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          nsharm6.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          botnet.mips.elfGet hashmaliciousUnknownBrowse
                                          • 185.125.190.26
                                          boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                          • 185.125.190.26
                                          INIT7CH.i.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          i486.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          nsharm6.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          BoM00gWx1d.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 109.202.202.202
                                          boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          na.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, missing section headers at 381572
                                          Entropy (8bit):6.009577370545004
                                          TrID:
                                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                          File name:tftp.elf
                                          File size:102'400 bytes
                                          MD5:e3e2ca66ab4a38a56aa764415ff38e5e
                                          SHA1:fba3ad5e3dffb7fde1bd8cf3da7d59ccd96e60b7
                                          SHA256:829f76e09c6e3a92735fd324c0295e27cab04b8d4671d2eaa79c4579fe6b95c0
                                          SHA512:aee75e18fbbcb91243d1f2a921975fecb7ae289c9ea1daa0a88075b951f112fb32c5f66476f036a0e2de468d7815d0172c3ab3734f8a44d7ded0f0eccf53576d
                                          SSDEEP:3072:9LOuh02xHCKQnqZ9YfMXKgyLlBZSyPjYEC:FOuhPHCKsqZ9YfM6g23ZJLYEC
                                          TLSH:FEA30A96F8A28B56C4C557B7FB4FC75637231795E3DF36038A184E34278B50A8E3AA01
                                          File Content Preview:.ELF..............(.........4...........4. ...(........p.....+...+......................4...4...4...@...@...............t...t...t..............................................................................................................................

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 24, 2024 11:59:34.050920010 CEST42836443192.168.2.2391.189.91.43
                                          Oct 24, 2024 11:59:35.074834108 CEST4251680192.168.2.23109.202.202.202
                                          Oct 24, 2024 11:59:48.896897078 CEST43928443192.168.2.2391.189.91.42
                                          Oct 24, 2024 12:00:01.183170080 CEST42836443192.168.2.2391.189.91.43
                                          Oct 24, 2024 12:00:05.278594971 CEST4251680192.168.2.23109.202.202.202
                                          Oct 24, 2024 12:00:29.851299047 CEST43928443192.168.2.2391.189.91.42

                                          System Behavior

                                          General

                                          Start time (UTC):09:59:29
                                          Start date (UTC):24/10/2024
                                          Path:/tmp/tftp.elf
                                          Arguments:/tmp/tftp.elf
                                          File size:4956856 bytes
                                          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                          Chronological Activities