Linux
Analysis Report
xd.x86.elf
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Yara signature match
Classification
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1669035 |
Start date and time: | 2025-04-19 05:39:24 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 22s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | xd.x86.elf |
Detection: | MAL |
Classification: | mal60.evad.linELF@0/0@0/0 |
Command: | /tmp/xd.x86.elf |
PID: | 5441 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | connecterror |
Standard Error: |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Linux_Trojan_Gafgyt_28a2fe0c | unknown | unknown |
| |
Linux_Trojan_Mirai_b14f4c5d | unknown | unknown |
| |
Linux_Trojan_Mirai_88de437f | unknown | unknown |
| |
Linux_Trojan_Mirai_389ee3e9 | unknown | unknown |
| |
Linux_Trojan_Mirai_cc93863b | unknown | unknown |
| |
Click to see the 1 entries |
⊘No Suricata rule has matched
- • AV Detection
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Program segment: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Data Obfuscation |
---|
Source: | String containing UPX found: | ||
Source: | String containing UPX found: | ||
Source: | String containing UPX found: |
Source: | Submission file: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 11 Obfuscated Files or Information | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 1 Non-Standard Port | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
⊘No configs have been found
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
50% | ReversingLabs | Linux.Worm.Mirai | ||
42% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
209.141.33.93 | unknown | United States | 53667 | PONYNETUS | false |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
209.141.33.93 | Get hash | malicious | Mirai | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse |
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
PONYNETUS | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 7.858562389799457 |
TrID: |
|
File name: | xd.x86.elf |
File size: | 20'068 bytes |
MD5: | 924aa5c4d04108f30f487aa3d71424fd |
SHA1: | d5ff6d30f2e7e573427a619c6ca052de3318059a |
SHA256: | 6e913e519b174fd6f62fd421733d55af85d8389baaf7a1b4e0c8d88175abdf03 |
SHA512: | b164692358d9853a8a73375b89738d5abcb69a19cc333b5b123bffd736a5fc454619dbe3783a6ed249ddacfc9ff144ae552b10045f16c813075e99ae4f44ec04 |
SSDEEP: | 384:Mx/sti8Q1OOs09u1k/ABs7shvElCKN2eXTkEDNfMY5lXFEnkTiq2Vn01+v1RI:e8QEFtRs7shyzBTkqBMY5l1ExLnZI |
TLSH: | 1292C09D992C9E97DC469471B276CB8FF051CC9C9F0E01D4BA8DE143E092119D92FBC8 |
File Content Preview: | .ELF.....................U..4...........4. ...(.....................cM..cM...................y...y..................Q.td...............................4UPX!....................Z........?d..ELF.......d.......4. ..4. (.......k.-.#.`...........?..2..|.|Gd..l |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 3 |
Section Header Offset: | 0 |
Section Header Size: | 40 |
Number of Section Headers: | 0 |
Header String Table Index: | 0 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0xc01000 | 0xc01000 | 0x4d63 | 0x4d63 | 7.8649 | 0x5 | R E | 0x1000 | ||
LOAD | 0x9e0 | 0x80579e0 | 0x80579e0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x1000 | ||
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x4 |
Download Network PCAP: filtered – full
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 19, 2025 05:40:16.091209888 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:40:16.234872103 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:40:16.235008001 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:40:16.235150099 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:40:16.378573895 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:40:16.378838062 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:40:16.522361040 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:40:26.245229959 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:40:26.388715029 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:40:26.388787985 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:40:26.389034986 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:40:41.581475973 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:40:41.581659079 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:40:56.725488901 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:40:56.725661993 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:41:11.869412899 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:41:11.869586945 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:41:26.449187994 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:41:26.592852116 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:41:26.592941046 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:41:41.741337061 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:41:41.741470098 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:41:56.885076046 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:41:56.885175943 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
Apr 19, 2025 05:42:12.029207945 CEST | 5538 | 37808 | 209.141.33.93 | 192.168.2.13 |
Apr 19, 2025 05:42:12.029325008 CEST | 37808 | 5538 | 192.168.2.13 | 209.141.33.93 |
System Behavior
Start time (UTC): | 03:40:10 |
Start date (UTC): | 19/04/2025 |
Path: | /tmp/xd.x86.elf |
Arguments: | /tmp/xd.x86.elf |
File size: | 20068 bytes |
MD5 hash: | 924aa5c4d04108f30f487aa3d71424fd |
Start time (UTC): | 03:40:15 |
Start date (UTC): | 19/04/2025 |
Path: | /tmp/xd.x86.elf |
Arguments: | - |
File size: | 20068 bytes |
MD5 hash: | 924aa5c4d04108f30f487aa3d71424fd |