Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
sh4.elf

Overview

General Information

Sample name:sh4.elf
Analysis ID:1541784
MD5:81f832b8b6d01d21abc30f809765e7b1
SHA1:d17e81ab879a728aea30d152219168cd1cb8819e
SHA256:c19c04e6b344cf911337464583d37fde4bafee0765c8cde6ef8d984027333114
Tags:elfuser-abuse_ch

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541784
Start date and time:2024-10-25 06:28:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:sh4.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0

Runtime Messages

Command:/tmp/sh4.elf
PID:5432
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • sh4.elf (PID: 5432, Parent: 5357, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sh4.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: sh4.elfVirustotal: Detection: 9%Perma Link
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /tmp/sh4.elf (PID: 5432)Queries kernel information via 'uname': Jump to behavior
Source: sh4.elf, 5432.1.00007ffcd6caf000.00007ffcd6cd0000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: sh4.elf, 5432.1.0000560a0d331000.0000560a0d394000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
Source: sh4.elf, 5432.1.00007ffcd6caf000.00007ffcd6cd0000.rw-.sdmpBinary or memory string: bx86_64/usr/bin/qemu-sh4/tmp/sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.elf
Source: sh4.elf, 5432.1.0000560a0d331000.0000560a0d394000.rw-.sdmpBinary or memory string: V5!/etc/qemu-binfmt/sh4

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sh4.elf9%VirustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):6.855712136170879
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:sh4.elf
File size:46'580 bytes
MD5:81f832b8b6d01d21abc30f809765e7b1
SHA1:d17e81ab879a728aea30d152219168cd1cb8819e
SHA256:c19c04e6b344cf911337464583d37fde4bafee0765c8cde6ef8d984027333114
SHA512:dca9b1fb7bbc566cda6b55a663628c28e8d11e58efeb893956bc60d83b9998355786761fb3e744db5a183a2e12681499da716007f755259c2362da6c265b4b66
SSDEEP:768:EQcbbZSD7wNuRVSodzxNW6dtMwmwM2T08nBHKMaIW:EQckD7K2SodjddtkwM2A8nFKX
TLSH:53235B67C9351F63C01ADAF93036AB7843672570814A2EF4A13BC7780593E5DF9987B8
File Content Preview:.ELF..............*.......@.4...........4. ...(...............@...@...........................@...@......1..............@...@.@.@.@.................Q.td............................././"O.n........#.*@........#.*@l....o&O.n...l.............................

Static ELF Info

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:<unknown>
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x4001c0
Flags:0x9
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:4
Section Header Offset:46020
Section Header Size:40
Number of Section Headers:14
Header String Table Index:13

Sections

NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.initPROGBITS0x4000b40xb40x300x00x6AX004
.textPROGBITS0x4001000x1000x9e800x00x6AX0032
.finiPROGBITS0x409f800x9f800x240x00x6AX004
.rodataPROGBITS0x409fa40x9fa40x11200x00x2A004
.eh_framePROGBITS0x40c0c40xb0c40x7c0x00x3WA004
.tbssNOBITS0x40c1400xb1400x80x00x403WAT004
.ctorsPROGBITS0x40c1400xb1400x80x00x3WA004
.dtorsPROGBITS0x40c1480xb1480x80x00x3WA004
.jcrPROGBITS0x40c1500xb1500x40x00x3WA004
.dataPROGBITS0x40c1540xb1540x2040x00x3WA004
.gotPROGBITS0x40c3580xb3580x140x40x3WA004
.bssNOBITS0x40c36c0xb36c0x2efc0x00x3WA004
.shstrtabSTRTAB0x00xb36c0x580x00x0001

Program Segments

TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x4000000x4000000xb0c40xb0c46.90840x5R E0x1000.init .text .fini .rodata
LOAD0xb0c40x40c0c40x40c0c40x2a80x31a43.88000x6RW 0x1000.eh_frame .tbss .ctors .dtors .jcr .data .got .bss
TLS0xb1400x40c1400x40c1400x00x80.00000x4R 0x4.tbss
GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

Network Behavior

No network behavior found

System Behavior

General

Start time (UTC):04:29:00
Start date (UTC):25/10/2024
Path:/tmp/sh4.elf
Arguments:/tmp/sh4.elf
File size:4139976 bytes
MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

Chronological Activities