Edit tour
Linux
Analysis Report
mips.elf
Overview
General Information
| Sample name: | mips.elf |
| Analysis ID: | 1543413 |
| MD5: | 4222146a411330a26431fb40204b723a |
| SHA1: | d67d280720db895d3eb19bde69d3940299203407 |
| SHA256: | ab946b31d14b3be2b518a49328cb51f2bd9a3e8e7a51a8442e6d0ebdab73cc33 |
| Tags: | elfuser-abuse_ch |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
Signatures
Multi AV Scanner detection for submitted file
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Classification
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1543413 |
| Start date and time: | 2024-10-27 20:23:42 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 30s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultlinuxfilecookbook.jbs |
| Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
| Analysis Mode: | default |
| Sample name: | mips.elf |
| Detection: | MAL |
| Classification: | mal48.linELF@0/0@0/0 |
- VT rate limit hit for: mips.elf
| Command: | /tmp/mips.elf |
| PID: | 5493 |
| Exit Code: | 2 |
| Exit Code Info: | |
| Killed: | False |
| Standard Output: | |
| Standard Error: | fatal error: sigaction failed runtime stack: runtime.throw({0x5c705a, 0x10}) runtime/panic.go:1023 +0x54 fp=0x7ffffce4 sp=0x7ffffcd0 pc=0x5d5c8 runtime.sysSigaction.func1() runtime/os_linux.go:535 +0x4c fp=0x7ffffcf0 sp=0x7ffffce4 pc=0x9b920 runtime.sysSigaction(0x41, 0x7ffffd18, 0x0) runtime/os_linux.go:534 +0x7c fp=0x7ffffd08 sp=0x7ffffcf0 pc=0x5a1a0 runtime.sigaction(...) runtime/sigaction.go:15 runtime.setsig(0x41, 0x7e7c4) runtime/os_linux.go:482 +0xbc fp=0x7ffffd34 sp=0x7ffffd08 pc=0x5a06c runtime.initsig(0x0) runtime/signal_unix.go:148 +0x2c0 fp=0x7ffffd70 sp=0x7ffffd34 pc=0x7de10 runtime.mstartm0() runtime/proc.go:1753 +0x70 fp=0x7ffffd78 sp=0x7ffffd70 pc=0x65b20 runtime.mstart1() runtime/proc.go:1725 +0x94 fp=0x7ffffd88 sp=0x7ffffd78 pc=0x65a18 runtime.mstart0() runtime/proc.go:1686 +0x7c fp=0x7ffffd9c sp=0x7ffffd88 pc=0x65964 runtime.mstart() runtime/asm_mipsx.s:89 +0x14 fp=0x7ffffda0 sp=0x7ffffd9c pc=0xa312c goroutine 1 gp=0xc00128 m=nil [runnable]: runtime.main() runtime/proc.go:146 fp=0xc3e7ec sp=0xc3e7ec pc=0x61284 runtime.goexit({}) runtime/asm_mipsx.s:641 +0x4 fp=0xc3e7ec sp=0xc3e7ec pc=0xa5560 |
- system is lnxubuntu20
- cleanup
⊘No yara matches
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | .symtab present: | ||
| Source: | Classification label: | ||
| Source: | Submission: | ||
| Source: | Queries kernel information via 'uname': | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Direct Volume Access | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
⊘No configs have been found
Is Dropped
Number of created Files
Is malicious
Internet| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 13% | ReversingLabs | Linux.Trojan.RevhellMarte |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 5.538179431809445 |
| TrID: |
|
| File name: | mips.elf |
| File size: | 9'568'439 bytes |
| MD5: | 4222146a411330a26431fb40204b723a |
| SHA1: | d67d280720db895d3eb19bde69d3940299203407 |
| SHA256: | ab946b31d14b3be2b518a49328cb51f2bd9a3e8e7a51a8442e6d0ebdab73cc33 |
| SHA512: | 98f60bb528b8c486d1f55a53ff4393b91c844ad78e19a5207cdbd06a8f5448d7da3de74a084c5b14328a16b803134652faffd758e729af39988d1343dfdaaf2a |
| SSDEEP: | 49152:ngM600w96vZpChK1iUYiLdrpqMkWdwc4yHaA4drgl3GN+lnEk:n6oK1iUBOUUI |
| TLSH: | 70A60804BC842BEAC46C5B7584EACA5626745D145EF14A2A37A0FFACBC762347F47C8C |
| File Content Preview: | .ELF.....................]..4..........P4. ...(.........4...4...4...................................d...d.............................M...M...............N...O...O.@:?.@:?..............................V..........Q.td...............................p....... |
ELF header | |
|---|---|
| Class: | |
| Data: | |
| Version: | |
| Machine: | |
| Version Number: | |
| Type: | |
| OS/ABI: | |
| ABI Version: | 0 |
| Entry Point Address: | |
| Flags: | |
| ELF Header Size: | 52 |
| Program Header Offset: | 52 |
| Program Header Size: | 32 |
| Number of Program Headers: | 7 |
| Section Header Offset: | 276 |
| Section Header Size: | 40 |
| Number of Section Headers: | 16 |
| Header String Table Index: | 14 |
| Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
|---|---|---|---|---|---|---|---|---|---|---|
| NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
| .text | PROGBITS | 0x11000 | 0x1000 | 0x4d87bc | 0x0 | 0x6 | AX | 0 | 0 | 4 |
| .rodata | PROGBITS | 0x4f0000 | 0x4e0000 | 0x19640c | 0x0 | 0x2 | A | 0 | 0 | 32 |
| .gnu.attributes | GNU_ATTRIBUTES | 0x0 | 0x676410 | 0x10 | 0x0 | 0x0 | 0 | 0 | 1 | |
| .typelink | PROGBITS | 0x686420 | 0x676420 | 0x3104 | 0x0 | 0x2 | A | 0 | 0 | 32 |
| .itablink | PROGBITS | 0x689540 | 0x679540 | 0xf70 | 0x0 | 0x2 | A | 0 | 0 | 32 |
| .gosymtab | PROGBITS | 0x68a4b0 | 0x67a4b0 | 0x0 | 0x0 | 0x2 | A | 0 | 0 | 1 |
| .gopclntab | PROGBITS | 0x68a4c0 | 0x67a4c0 | 0x259580 | 0x0 | 0x2 | A | 0 | 0 | 32 |
| .go.buildinfo | PROGBITS | 0x8f0000 | 0x8e0000 | 0x590 | 0x0 | 0x3 | WA | 0 | 0 | 16 |
| .noptrdata | PROGBITS | 0x8f05a0 | 0x8e05a0 | 0x2fca2 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
| .data | PROGBITS | 0x920260 | 0x910260 | 0xab50 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
| .bss | NOBITS | 0x92adc0 | 0x91adc0 | 0x2bc48 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
| .noptrbss | NOBITS | 0x956a20 | 0x946a20 | 0xeccc | 0x0 | 0x3 | WA | 0 | 0 | 32 |
| .note.go.buildid | NOTE | 0x10f9c | 0xf9c | 0x64 | 0x0 | 0x2 | A | 0 | 0 | 4 |
| .shstrtab | STRTAB | 0x0 | 0x920000 | 0xb7 | 0x0 | 0x0 | 0 | 0 | 1 | |
| .MIPS.abiflags | MIPS_ABIFLAGS | 0x10f84 | 0xf84 | 0x18 | 0x0 | 0x2 | A | 0 | 0 | 8 |
| Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
|---|---|---|---|---|---|---|---|---|---|---|---|
| PHDR | 0x34 | 0x10034 | 0x10034 | 0xe0 | 0xe0 | 2.4982 | 0x4 | R | 0x10000 | ||
| NOTE | 0xf9c | 0x10f9c | 0x10f9c | 0x64 | 0x64 | 5.4208 | 0x4 | R | 0x4 | .note.go.buildid | |
| LOAD | 0x0 | 0x10000 | 0x10000 | 0x4d97bc | 0x4d97bc | 5.0823 | 0x5 | R E | 0x10000 | .text .note.go.buildid .MIPS.abiflags | |
| LOAD | 0x4e0000 | 0x4f0000 | 0x4f0000 | 0x3f3a40 | 0x3f3a40 | 5.6286 | 0x4 | R | 0x10000 | .rodata .typelink .itablink .gosymtab .gopclntab | |
| LOAD | 0x8e0000 | 0x8f0000 | 0x8f0000 | 0x3adc0 | 0x756ec | 5.6094 | 0x6 | RW | 0x10000 | .go.buildinfo .noptrdata .data .bss .noptrbss | |
| GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x4 | ||
| ABIFLAGS | 0xf84 | 0x10f84 | 0x10f84 | 0x18 | 0x18 | 0.8887 | 0x4 | R | 0x8 | .MIPS.abiflags |
⊘No network behavior found
System Behavior
| Start time (UTC): | 19:24:23 |
| Start date (UTC): | 27/10/2024 |
| Path: | /tmp/mips.elf |
| Arguments: | /tmp/mips.elf |
| File size: | 5773336 bytes |
| MD5 hash: | 0d6f61f82cf2f781c6eb0661071d42d9 |