Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
wheiuwa4.elf

Overview

General Information

Sample name:wheiuwa4.elf
Analysis ID:1561482
MD5:58a10add7fee06f8b293b25653e7276b
SHA1:afb845682fe31e4762445c3432f081cb7d98b15a
SHA256:16b7dea3152029bd5f15b6a65bfd17fcb3f933e6028e0dbc1d228d3f639259f5
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Executes the "rm" command used to delete files or directories
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1561482
Start date and time:2024-11-23 14:37:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:wheiuwa4.elf
Detection:MAL
Classification:mal48.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: wheiuwa4.elf

Runtime Messages

Command:/tmp/wheiuwa4.elf
PID:6252
Exit Code:135
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 6228, Parent: 4331)
  • rm (PID: 6228, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.LixYaMEdc6 /tmp/tmp.ch7km2Tn7N /tmp/tmp.UhXrX0YvVx
  • dash New Fork (PID: 6229, Parent: 4331)
  • rm (PID: 6229, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.LixYaMEdc6 /tmp/tmp.ch7km2Tn7N /tmp/tmp.UhXrX0YvVx
  • wheiuwa4.elf (PID: 6252, Parent: 6152, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/wheiuwa4.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: wheiuwa4.elfReversingLabs: Detection: 15%
Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33606
Source: unknownNetwork traffic detected: HTTP traffic on port 33606 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: classification engineClassification label: mal48.linELF@0/0@0/0
Source: /usr/bin/dash (PID: 6228)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.LixYaMEdc6 /tmp/tmp.ch7km2Tn7N /tmp/tmp.UhXrX0YvVxJump to behavior
Source: /usr/bin/dash (PID: 6229)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.LixYaMEdc6 /tmp/tmp.ch7km2Tn7N /tmp/tmp.UhXrX0YvVxJump to behavior
Source: /tmp/wheiuwa4.elf (PID: 6252)Queries kernel information via 'uname': Jump to behavior
Source: wheiuwa4.elf, 6252.1.000055649ddbe000.000055649deca000.rw-.sdmpBinary or memory string: dU!/etc/qemu-binfmt/arm
Source: wheiuwa4.elf, 6252.1.00007ffccec10000.00007ffccec31000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/wheiuwa4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/wheiuwa4.elf
Source: wheiuwa4.elf, 6252.1.000055649ddbe000.000055649deca000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: wheiuwa4.elf, 6252.1.00007ffccec10000.00007ffccec31000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: wheiuwa4.elf, 6252.1.000055649ddbe000.000055649deca000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">
Source: wheiuwa4.elf, 6252.1.000055649ddbe000.000055649deca000.rw-.sdmpBinary or memory string: dUrg.qemu.gdb.arm.sys.regs">

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wheiuwa4.elf16%ReversingLabsLinux.Backdoor.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
54.171.230.55
unknownUnited States
16509AMAZON-02USfalse
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
54.171.230.55x86.elfGet hashmaliciousUnknownBrowse
    hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
      arm.elfGet hashmaliciousUnknownBrowse
        main_ppc.elfGet hashmaliciousMiraiBrowse
          main_arm5.elfGet hashmaliciousMiraiBrowse
            mmb9.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
              mmb4.elfGet hashmaliciousMirai, OkiruBrowse
                Mozi.m.elfGet hashmaliciousUnknownBrowse
                  tftp.elfGet hashmaliciousUnknownBrowse
                    sshd.elfGet hashmaliciousUnknownBrowse
                      109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                      • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                      91.189.91.43.i.elfGet hashmaliciousUnknownBrowse
                        Mozi.m.elfGet hashmaliciousUnknownBrowse
                          yakuza.m68k.elfGet hashmaliciousMiraiBrowse
                            linux_arm5.elfGet hashmaliciousUnknownBrowse
                              la.bot.arc.elfGet hashmaliciousMiraiBrowse
                                la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                  la.bot.arc.elfGet hashmaliciousMiraiBrowse
                                    la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                      la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                        la.bot.arm7.elfGet hashmaliciousUnknownBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CANONICAL-ASGB.i.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          Mozi.m.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          yakuza.arm6.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          yakuza.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          linux_arm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          la.bot.arc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          la.bot.arc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          CANONICAL-ASGB.i.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          Mozi.m.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          yakuza.arm6.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          yakuza.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          linux_arm5.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          la.bot.arc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          la.bot.arc.elfGet hashmaliciousMiraiBrowse
                                          • 91.189.91.42
                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                          • 91.189.91.42
                                          AMAZON-02USyakuza.sh.elfGet hashmaliciousMiraiBrowse
                                          • 46.51.154.213
                                          yakuza.arm6.elfGet hashmaliciousMiraiBrowse
                                          • 34.249.145.219
                                          yakuza.i586.elfGet hashmaliciousMiraiBrowse
                                          • 52.221.94.55
                                          x86.elfGet hashmaliciousUnknownBrowse
                                          • 54.171.230.55
                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                          • 18.238.49.124
                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                          • 3.168.73.83
                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                          • 35.164.125.63
                                          hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 54.171.230.55
                                          https://fax-review-complete-signature-required.s3.us-east-1.amazonaws.com/Derwiiuw45FSDeerwyllakttqyhfffddd/ASgggsh65378Reloadfffax3527paogHjkks/Pdf.htmlGet hashmaliciousUnknownBrowse
                                          • 52.216.63.10
                                          https://3a88da1a86b3b964.ngrok.app/Factura.phpGet hashmaliciousUnknownBrowse
                                          • 3.17.7.232
                                          INIT7CH.i.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          Mozi.m.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          yakuza.arm6.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          yakuza.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          linux_arm5.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          la.bot.arc.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          la.bot.arc.elfGet hashmaliciousMiraiBrowse
                                          • 109.202.202.202
                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202
                                          la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                          • 109.202.202.202

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, missing section headers at 162520
                                          Entropy (8bit):5.852340555946846
                                          TrID:
                                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                          File name:wheiuwa4.elf
                                          File size:15'911 bytes
                                          MD5:58a10add7fee06f8b293b25653e7276b
                                          SHA1:afb845682fe31e4762445c3432f081cb7d98b15a
                                          SHA256:16b7dea3152029bd5f15b6a65bfd17fcb3f933e6028e0dbc1d228d3f639259f5
                                          SHA512:f84361e6c8445d4313aad81df798c5e45852686b12726bcc149e4abcd429943be7e7aecb1e26a9ee3173d8448bcdbf18cf66f37152fe7493111fd715e49721db
                                          SSDEEP:384:yqshcZyge1HZXNkY3ZQne1zFSPxR87m3/GzJD0Ukkp:yhhcZyvHRNP3qn6obAm3eykp
                                          TLSH:1862B4516881656386F4237EF8BE00CD336477A992DB722ECC625F24B791D1F0CA77A1
                                          File Content Preview:.ELF...a..........(.........4...py......4. ...(.....................t&..t&...............0...0...0..0I..............Q.td..................................-...L."...3}..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 23, 2024 14:37:53.467921019 CET4433360654.171.230.55192.168.2.23
                                          Nov 23, 2024 14:37:53.468163967 CET33606443192.168.2.2354.171.230.55
                                          Nov 23, 2024 14:37:53.587837934 CET4433360654.171.230.55192.168.2.23
                                          Nov 23, 2024 14:37:56.190824032 CET43928443192.168.2.2391.189.91.42
                                          Nov 23, 2024 14:38:01.566175938 CET42836443192.168.2.2391.189.91.43
                                          Nov 23, 2024 14:38:02.589965105 CET4251680192.168.2.23109.202.202.202
                                          Nov 23, 2024 14:38:16.668126106 CET43928443192.168.2.2391.189.91.42
                                          Nov 23, 2024 14:38:28.954458952 CET42836443192.168.2.2391.189.91.43
                                          Nov 23, 2024 14:38:33.049911976 CET4251680192.168.2.23109.202.202.202
                                          Nov 23, 2024 14:38:57.622437000 CET43928443192.168.2.2391.189.91.42

                                          System Behavior

                                          General

                                          Start time (UTC):13:37:52
                                          Start date (UTC):23/11/2024
                                          Path:/usr/bin/dash
                                          Arguments:-
                                          File size:129816 bytes
                                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                          Chronological Activities


                                          General

                                          Start time (UTC):13:37:52
                                          Start date (UTC):23/11/2024
                                          Path:/usr/bin/rm
                                          Arguments:rm -f /tmp/tmp.LixYaMEdc6 /tmp/tmp.ch7km2Tn7N /tmp/tmp.UhXrX0YvVx
                                          File size:72056 bytes
                                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                          Chronological Activities


                                          General

                                          Start time (UTC):13:37:52
                                          Start date (UTC):23/11/2024
                                          Path:/usr/bin/dash
                                          Arguments:-
                                          File size:129816 bytes
                                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                          Chronological Activities


                                          General

                                          Start time (UTC):13:37:52
                                          Start date (UTC):23/11/2024
                                          Path:/usr/bin/rm
                                          Arguments:rm -f /tmp/tmp.LixYaMEdc6 /tmp/tmp.ch7km2Tn7N /tmp/tmp.UhXrX0YvVx
                                          File size:72056 bytes
                                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                          Chronological Activities


                                          General

                                          Start time (UTC):13:37:54
                                          Start date (UTC):23/11/2024
                                          Path:/tmp/wheiuwa4.elf
                                          Arguments:/tmp/wheiuwa4.elf
                                          File size:4956856 bytes
                                          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                          Chronological Activities