Linux
Analysis Report
ppc.elf
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Classification
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1544028 |
Start date and time: | 2024-10-28 18:18:09 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 3s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | ppc.elf |
Detection: | MAL |
Classification: | mal56.evad.linELF@0/0@0/0 |
- Skipping network analysis since amount of network traffic is too extensive
- VT rate limit hit for: ppc.elf
Command: | /tmp/ppc.elf |
PID: | 5549 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | thIs wEek on xLaB lEarNs nOthinG xd |
Standard Error: |
- system is lnxubuntu20
- dash New Fork (PID: 5507, Parent: 3671)
- dash New Fork (PID: 5508, Parent: 3671)
- dash New Fork (PID: 5509, Parent: 3671)
- dash New Fork (PID: 5510, Parent: 3671)
- dash New Fork (PID: 5511, Parent: 3671)
- dash New Fork (PID: 5512, Parent: 3671)
- dash New Fork (PID: 5513, Parent: 3671)
- dash New Fork (PID: 5514, Parent: 3671)
- dash New Fork (PID: 5515, Parent: 3671)
- dash New Fork (PID: 5516, Parent: 3671)
- ppc.elf New Fork (PID: 5551, Parent: 5549)
- ppc.elf New Fork (PID: 5553, Parent: 5549)
- ppc.elf New Fork (PID: 5578, Parent: 5549)
- cleanup
- • AV Detection
- • Spreading
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | String: | ||
Source: | String: |
Source: | Socket: | Jump to behavior |
Source: | .symtab present: |
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior |
Source: | Classification label: |
Data Obfuscation |
---|
Source: | File: | Jump to behavior |
Source: | Directory: | Jump to behavior | ||
Source: | Directory: | Jump to behavior | ||
Source: | Directory: | Jump to behavior | ||
Source: | Directory: | Jump to behavior | ||
Source: | Directory: | Jump to behavior | ||
Source: | Directory: | Jump to behavior | ||
Source: | Directory: | Jump to behavior | ||
Source: | Directory: | Jump to behavior | ||
Source: | Directory: | Jump to behavior | ||
Source: | Directory: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Rm executable: | Jump to behavior | ||
Source: | Rm executable: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Log files deleted: | Jump to behavior |
Source: | Sleeps longer then 60s: | Jump to behavior | ||
Source: | Sleeps longer then 60s: | Jump to behavior | ||
Source: | Sleeps longer then 60s: | Jump to behavior |
Source: | Queries kernel information via 'uname': | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | Windows Management Instrumentation | 1 Scripting | Path Interception | 1 Virtualization/Sandbox Evasion | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Hidden Files and Directories | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Indicator Removal | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 File Deletion | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | ReversingLabs | Linux.Trojan.Mirai |
File type: | |
Entropy (8bit): | 6.067815872102156 |
TrID: |
|
File name: | ppc.elf |
File size: | 59'788 bytes |
MD5: | fca3a13f964c784e1dd3535c18ba79fd |
SHA1: | d57cc0ad213106cf015bbd8211715cb6b859dc81 |
SHA256: | 501bf20705d8ca8c8fb9c1bfb648cbfb96a67bd775c8b97619752ddaef62f2f1 |
SHA512: | 737e539c223504876ecd93cc5bd9486ab2e28b7092a7d2d73c0f51fc7bc78760f89e3e4955d2c80b42aa043d8a68609b7a6ad87129e0fb8ffba115bb03607957 |
SSDEEP: | 1536:7xAQIVDLZOROw9U9mJQKa44N4qBBRGsg5L:GQiDLZ9Uir44vR/g5L |
TLSH: | C3431942721C0943C1661EF0363B17E0D3ABAAD222E4F388765F6B4AD1B1E376545EDE |
File Content Preview: | .ELF...........................4.........4. ...(.......................................................h..E.........dt.Q.............................!..|......$H...H..)...$8!. |...N.. .!..|.......?.............../...@..\?........+../...A..$8...})......N.. |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 3 |
Section Header Offset: | 59308 |
Section Header Size: | 40 |
Number of Section Headers: | 12 |
Header String Table Index: | 11 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x10000094 | 0x94 | 0x24 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.text | PROGBITS | 0x100000b8 | 0xb8 | 0xd180 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.fini | PROGBITS | 0x1000d238 | 0xd238 | 0x20 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.rodata | PROGBITS | 0x1000d258 | 0xd258 | 0x119c | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ctors | PROGBITS | 0x1001e3f8 | 0xe3f8 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.dtors | PROGBITS | 0x1001e400 | 0xe400 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x1001e410 | 0xe410 | 0x334 | 0x0 | 0x3 | WA | 0 | 0 | 8 |
.sdata | PROGBITS | 0x1001e744 | 0xe744 | 0x1c | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.sbss | NOBITS | 0x1001e760 | 0xe760 | 0x80 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.bss | NOBITS | 0x1001e7e0 | 0xe760 | 0x41dc | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.shstrtab | STRTAB | 0x0 | 0xe760 | 0x4b | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x10000000 | 0x10000000 | 0xe3f4 | 0xe3f4 | 6.1042 | 0x5 | R E | 0x10000 | .init .text .fini .rodata | |
LOAD | 0xe3f8 | 0x1001e3f8 | 0x1001e3f8 | 0x368 | 0x45c4 | 3.8454 | 0x6 | RW | 0x10000 | .ctors .dtors .data .sdata .sbss .bss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x4 |
System Behavior
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.DM9Q5Mohm1 /tmp/tmp.VC2F28MSxW /tmp/tmp.mkdFGKy59o |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/cat |
Arguments: | cat /tmp/tmp.DM9Q5Mohm1 |
File size: | 43416 bytes |
MD5 hash: | 7e9d213e404ad3bb82e4ebb2e1f2c1b3 |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/head |
Arguments: | head -n 10 |
File size: | 47480 bytes |
MD5 hash: | fd96a67145172477dd57131396fc9608 |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/tr |
Arguments: | tr -d \\000-\\011\\013\\014\\016-\\037 |
File size: | 51544 bytes |
MD5 hash: | fbd1402dd9f72d8ebfff00ce7c3a7bb5 |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/cut |
Arguments: | cut -c -80 |
File size: | 47480 bytes |
MD5 hash: | d8ed0ea8f22c0de0f8692d4d9f1759d3 |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/cat |
Arguments: | cat /tmp/tmp.DM9Q5Mohm1 |
File size: | 43416 bytes |
MD5 hash: | 7e9d213e404ad3bb82e4ebb2e1f2c1b3 |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/head |
Arguments: | head -n 10 |
File size: | 47480 bytes |
MD5 hash: | fd96a67145172477dd57131396fc9608 |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/tr |
Arguments: | tr -d \\000-\\011\\013\\014\\016-\\037 |
File size: | 51544 bytes |
MD5 hash: | fbd1402dd9f72d8ebfff00ce7c3a7bb5 |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/cut |
Arguments: | cut -c -80 |
File size: | 47480 bytes |
MD5 hash: | d8ed0ea8f22c0de0f8692d4d9f1759d3 |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 17:18:52 |
Start date (UTC): | 28/10/2024 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.DM9Q5Mohm1 /tmp/tmp.VC2F28MSxW /tmp/tmp.mkdFGKy59o |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 17:18:56 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | /tmp/ppc.elf |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:18:56 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:18:56 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:18:56 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:19:22 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:19:22 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:19:25 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:19:25 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:20:22 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:20:22 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:21:22 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |
Start time (UTC): | 17:21:22 |
Start date (UTC): | 28/10/2024 |
Path: | /tmp/ppc.elf |
Arguments: | - |
File size: | 5388968 bytes |
MD5 hash: | ae65271c943d3451b7f026d1fadccea6 |