Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
tftp.elf

Overview

General Information

Sample name:tftp.elf
Analysis ID:1544889
MD5:14caf90fd128da7915ce8d84cf08f4c2
SHA1:721a17f5450230441ebb58c1028de42902205221
SHA256:e79f1eb1023d3e1cc81652e83f4efe56daa837c701214b8db655a4c69c8d9416
Tags:elfuser-abuse_ch
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false

Signatures

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544889
Start date and time:2024-10-29 21:03:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:tftp.elf
Detection:CLEAN
Classification:clean1.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: tftp.elf

Runtime Messages

Command:/tmp/tftp.elf
PID:5536
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • tftp.elf (PID: 5536, Parent: 5454, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/tftp.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: Initial sampleString containing 'busybox' found: busybox_main
Source: Initial sampleString containing 'busybox' found: _fini__uClibc_mainbb_applet_namerun_applet_by_namebb_error_msg_and_diebeen_there_done_thatstderrbb_msg_full_versionappletsfputsbb_strlenmemmovememsetusage_messagesstrcmpbsearchfind_applet_by_namebb_show_usagebusybox_maintest_maincat_mainchmod_mainchown_mainclear_maincp_maindate_maindf_maindu_mainecho_mainenv_mainfalse_mainhalt_mainhostname_mainifconfig_maininit_maininsmod_mainkill_mainln_mainls_mainlsmod_mainmesg_mainmkdir_mainmknod_mainmodprobe_mainmore_mainmsh_mainmv_mainnetstat_mainnslookup_mainping_mainpoweroff_mainps_mainpwd_mainreboot_mainreset_mainrm_mainrmdir_mainrmmod_mainstart_stop_daemon_mainstty_maintail_maintelnet_maintftp_maintop_maintouch_maintrue_mainumount_mainuname_mainuptime_mainwhoami_mainbb_getopt_ulflagsoptindbb_wfopen_inputfilenobb_copyfd_eofbb_fclose_nonstdinbb_parse_modechmodbb_perror_msgrecursive_actionlchownstrchrget_ug_idmy_getgrnammy_getpwnamlstatcp_mv_stat2cp_mv_statbb_get_last_path_componentconcat_path_filecopy_filefreebb_opt_complementalyputenvbb_perror_msg_and_dielocaltimememc
Source: classification engineClassification label: clean1.linELF@0/0@2/0
Source: /tmp/tftp.elf (PID: 5536)Queries kernel information via 'uname': Jump to behavior
Source: tftp.elf, 5536.1.00007fff1aa9c000.00007fff1aabd000.rw-.sdmpBinary or memory string: 5x86_64/usr/bin/qemu-mips/tmp/tftp.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tftp.elf
Source: tftp.elf, 5536.1.0000559f9a10c000.0000559f9a170000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
Source: tftp.elf, 5536.1.0000559f9a10c000.0000559f9a170000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: tftp.elf, 5536.1.00007fff1aa9c000.00007fff1aabd000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544889 Sample: tftp.elf Startdate: 29/10/2024 Architecture: LINUX Score: 1 7 daisy.ubuntu.com 2->7 5 tftp.elf 2->5         started        process3

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
tftp.elf0%ReversingLabs

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.combelks.arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    belks.arm6.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    belks.arm5.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    belks.arm7.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    belks.mips.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    belks.sh4.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    belks.ppc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    5.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    arm6.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    arm7.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, missing section headers at 243968
    Entropy (8bit):5.355308200844317
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:tftp.elf
    File size:102'400 bytes
    MD5:14caf90fd128da7915ce8d84cf08f4c2
    SHA1:721a17f5450230441ebb58c1028de42902205221
    SHA256:e79f1eb1023d3e1cc81652e83f4efe56daa837c701214b8db655a4c69c8d9416
    SHA512:adfa59151549ae073e7938c73762740d337811f7acca26089f3da9f77aa25fbff745ac779bc6faf746d69b7ef428dd536a2ae28f618a1eb593093dbc3e477815
    SSDEEP:1536:fmdurU07J8MtqHxqGPkncW/RVi/wJz8H6xVRFOr4kp6khxH:fma7JLqHxcncWZViTH6xVRFOR6khV
    TLSH:DCA3825E7A218F7DF6B8C73497FB1B34A77922CA2A91C580D1ACD5012E2434D981FF68
    File Content Preview:.ELF.....................@7....4....P....4. ...(...........4.@.4.@.4.........................@...@..................p......(.@.(.@.(.........................@...@....a...a...............a..Da..Da.......N0...............@.@.@.@.@...........................

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 29, 2024 21:04:05.682923079 CET3374453192.168.2.151.1.1.1
    Oct 29, 2024 21:04:05.682971954 CET4883653192.168.2.151.1.1.1
    Oct 29, 2024 21:04:05.691139936 CET53488361.1.1.1192.168.2.15
    Oct 29, 2024 21:04:05.706795931 CET53337441.1.1.1192.168.2.15

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Oct 29, 2024 21:04:05.682923079 CET192.168.2.151.1.1.10x5979Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Oct 29, 2024 21:04:05.682971954 CET192.168.2.151.1.1.10xe47fStandard query (0)daisy.ubuntu.com28IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 29, 2024 21:04:05.706795931 CET1.1.1.1192.168.2.150x5979No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Oct 29, 2024 21:04:05.706795931 CET1.1.1.1192.168.2.150x5979No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):20:04:03
    Start date (UTC):29/10/2024
    Path:/tmp/tftp.elf
    Arguments:/tmp/tftp.elf
    File size:5777432 bytes
    MD5 hash:0083f1f0e77be34ad27f849842bbb00c

    Chronological Activities