Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
ppc.elf

Overview

General Information

Sample name:ppc.elf
Analysis ID:1541747
MD5:56029c5c630dc416adf9ebff8a71001b
SHA1:b366d357ce02cf5ddb8d94dddc1ac76caafcfe98
SHA256:44a3056cb87d5445053080359a81038fb8eec2bcc628dd0b5969dc5bae15098f
Tags:elfuser-abuse_ch

Detection

Score:1
Range:0 - 100
Whitelisted:false

Signatures

Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541747
Start date and time:2024-10-25 05:03:11 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:ppc.elf
Detection:CLEAN
Classification:clean1.linELF@0/0@0/0

Runtime Messages

Command:/tmp/ppc.elf
PID:5517
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • ppc.elf (PID: 5517, Parent: 5436, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/ppc.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: clean1.linELF@0/0@0/0
Source: /tmp/ppc.elf (PID: 5517)Queries kernel information via 'uname': Jump to behavior
Source: ppc.elf, 5517.1.000055ebba95d000.000055ebbaa0d000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: ppc.elf, 5517.1.00007ffc7a978000.00007ffc7a999000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-ppc/tmp/ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ppc.elf
Source: ppc.elf, 5517.1.000055ebba95d000.000055ebbaa0d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
Source: ppc.elf, 5517.1.00007ffc7a978000.00007ffc7a999000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1541747 Sample: ppc.elf Startdate: 25/10/2024 Architecture: LINUX Score: 1 4 ppc.elf 2->4         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ppc.elf3%ReversingLabs

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):5.972642978956076
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:ppc.elf
File size:58'724 bytes
MD5:56029c5c630dc416adf9ebff8a71001b
SHA1:b366d357ce02cf5ddb8d94dddc1ac76caafcfe98
SHA256:44a3056cb87d5445053080359a81038fb8eec2bcc628dd0b5969dc5bae15098f
SHA512:4eaa3b34568a60dbcec9c26c4488e076958889fc229a0495e29de2031d256f937715bc22b1b910c540c6a9ccd867a7856643c99e0d619c31e2ced32f756dc51c
SSDEEP:1536:2zxZMRE9O5IePUUwPE6lJdq5NUDHUj5yLoYUEjja:2VygOe3PfXqLJ
TLSH:E3432911A30D1D47E1635DF43A3F27E293DEDE8021F59A453A2E7A456672F3A4083ECA
File Content Preview:.ELF...........................4.........4. ...(.......................d...d...........................|..,d...............T...T...T................dt.Q.............................!..|......$H...H......$8!. |...N.. .!..|.......?.............../...@..`= .

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, big endian
Version:1 (current)
Machine:PowerPC
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x10000218
Flags:0x0
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:4
Section Header Offset:58084
Section Header Size:40
Number of Section Headers:16
Header String Table Index:15

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.initPROGBITS0x100000b40xb40x240x00x6AX004
.textPROGBITS0x100000d80xd80xc3580x00x6AX004
.finiPROGBITS0x1000c4300xc4300x200x00x6AX004
.rodataPROGBITS0x1000c4500xc4500x16140x00x2A008
.eh_framePROGBITS0x1000e0000xe0000x540x00x3WA004
.tbssNOBITS0x1000e0540xe0540x80x00x403WAT004
.ctorsPROGBITS0x1000e0540xe0540x80x00x3WA004
.dtorsPROGBITS0x1000e05c0xe05c0x80x00x3WA004
.jcrPROGBITS0x1000e0640xe0640x40x00x3WA004
.dataPROGBITS0x1000e0680xe0680x1c80x00x3WA004
.gotPROGBITS0x1000e2300xe2300x100x40x7WAX004
.sdataPROGBITS0x1000e2400xe2400x3c0x00x3WA004
.sbssNOBITS0x1000e27c0xe27c0x600x00x3WA004
.bssNOBITS0x1000e2dc0xe27c0x29880x00x3WA004
.shstrtabSTRTAB0x00xe27c0x650x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x100000000x100000000xda640xda646.11010x5R E0x1000.init .text .fini .rodata
LOAD0xe0000x1000e0000x1000e0000x27c0x2c643.77780x7RWE0x1000.eh_frame .tbss .ctors .dtors .jcr .data .got .sdata .sbss .bss
TLS0xe0540x1000e0540x1000e0540x00x80.00000x4R 0x4.tbss
GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

Network Behavior

No network behavior found

System Behavior

General

Start time (UTC):03:03:56
Start date (UTC):25/10/2024
Path:/tmp/ppc.elf
Arguments:/tmp/ppc.elf
File size:5388968 bytes
MD5 hash:ae65271c943d3451b7f026d1fadccea6

Chronological Activities