Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
bin.sh.elf

Overview

General Information

Sample name:bin.sh.elf
Analysis ID:1561512
MD5:ac8dc686374f36fd1e0d1b680b201af5
SHA1:23e3dba72ecd2f468d1b80914d3968cebf79f5cd
SHA256:d1bf56cfc7191084fe938da61077120f6c3abf27231f36befaf50f9c24a4d511
Tags:elfuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1561512
Start date and time:2024-11-23 16:12:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:bin.sh.elf
Detection:MAL
Classification:mal64.linELF@0/0@2/0

Warnings

  • VT rate limit hit for: bin.sh.elf

Runtime Messages

Command:/tmp/bin.sh.elf
PID:5488
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

  • system is lnxubuntu20
  • bin.sh.elf (PID: 5488, Parent: 5405, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/bin.sh.elf
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
bin.sh.elfLinux_Packer_Patched_UPX_62e11c64unknownunknown
  • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00

Memory Dumps

SourceRuleDescriptionAuthorStrings
5488.1.00007f4864400000.00007f4864422000.r-x.sdmpLinux_Packer_Patched_UPX_62e11c64unknownunknown
  • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: bin.sh.elfAvira: detected
Multi AV Scanner detection for submitted file
Source: bin.sh.elfReversingLabs: Detection: 52%
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Source: 5488.1.00007f4864400000.00007f4864422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
Source: LOAD without section mappingsProgram segment: 0x400000
Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: 5488.1.00007f4864400000.00007f4864422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
Source: classification engineClassification label: mal64.linELF@0/0@2/0
Source: bin.sh.elfSubmission file: segment LOAD with 7.8186 entropy (max. 8.0)
Source: /tmp/bin.sh.elf (PID: 5488)Queries kernel information via 'uname': Jump to behavior
Source: bin.sh.elf, 5488.1.00005563c58a7000.00005563c592e000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: bin.sh.elf, 5488.1.00005563c58a7000.00005563c592e000.rw-.sdmpBinary or memory string: cU!/etc/qemu-binfmt/mips
Source: bin.sh.elf, 5488.1.00007ffc7159b000.00007ffc715bc000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/bin.sh.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bin.sh.elf
Source: bin.sh.elf, 5488.1.00007ffc7159b000.00007ffc715bc000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: bin.sh.elf, 5488.1.00007ffc7159b000.00007ffc715bc000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Obfuscated Files or Information		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
bin.sh.elf53%ReversingLabsLinux.Trojan.Dakkatoni
bin.sh.elf100%AviraLINUX/Mirai.snpyu

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comyakuza.arm5.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    yakuza.arm4.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    yakuza.arm7.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    la.bot.arm5.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    la.bot.sparc.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    la.bot.mips.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    la.bot.sh4.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    hidakibest.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    hidakibest.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
    Entropy (8bit):7.818619978097092
    TrID:
    • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
    • ELF Executable and Linkable format (generic) (4004/1) 49.84%
    File name:bin.sh.elf
    File size:131'040 bytes
    MD5:ac8dc686374f36fd1e0d1b680b201af5
    SHA1:23e3dba72ecd2f468d1b80914d3968cebf79f5cd
    SHA256:d1bf56cfc7191084fe938da61077120f6c3abf27231f36befaf50f9c24a4d511
    SHA512:be780ad29833aea0ea5f2afc9604c29427d059b98c16f880a1d1d10b3479ac5f0010323ec01c87c0b40dc409a6cc7b3f1808623ca09ab3fc99ece59bcf1fb284
    SSDEEP:3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ104:p3lOYoaja8xzx/0wsxzJ
    TLSH:20D3124AEF369C0ECF401DB22ADB5B8E9D6D7A6B41CBF0A8B9C1818F57A01C97D52114
    File Content Preview:.ELF.....................B.....4.........4. ...(.............@...@...........................C...C......../..........*.*UPX!.X.....................^....|.$..ELF..........@.`....4...0... ...(......<...@......[v......H...`.t..;_...dt.Q.....].M..............

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, big endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x4206a8
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:2
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x210f20x210f27.81860x5R E0x10000
    LOAD0x00x4300000x4300000x00x92fd80.00000x6RW 0x10000

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Nov 23, 2024 16:12:56.621733904 CET5310853192.168.2.148.8.8.8
    Nov 23, 2024 16:12:56.621777058 CET3395053192.168.2.148.8.8.8
    Nov 23, 2024 16:12:56.773277044 CET53339508.8.8.8192.168.2.14
    Nov 23, 2024 16:12:56.783832073 CET53531088.8.8.8192.168.2.14

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Nov 23, 2024 16:12:56.621733904 CET192.168.2.148.8.8.80x6c4cStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Nov 23, 2024 16:12:56.621777058 CET192.168.2.148.8.8.80x7eb4Standard query (0)daisy.ubuntu.com28IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Nov 23, 2024 16:12:56.783832073 CET8.8.8.8192.168.2.140x6c4cNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
    Nov 23, 2024 16:12:56.783832073 CET8.8.8.8192.168.2.140x6c4cNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):15:12:55
    Start date (UTC):23/11/2024
    Path:/tmp/bin.sh.elf
    Arguments:/tmp/bin.sh.elf
    File size:5777432 bytes
    MD5 hash:0083f1f0e77be34ad27f849842bbb00c

    Chronological Activities